Awesome Web Security

🐶 A curated list of Web Security materials and resources.

Please read the contribution guidelines before contributing.

---

🌈 Want to strengthen your penetration skills?
I would recommend to play some awesome-ctfs.

---

Check out my repos 🐾 or say hi on my Twitter.

Menu

• Resource
  • XSS
  • SQL Injection
  • XML
• Evasion
  • CSP
  • JSMVC
• Trick
  • XSS
  • SQL Injection
  • SSRF
• PoC
  • JavaScript
• Tool
  • Code Generating
  • Disassembler
  • Fuzzing
  • Penetrating
  • Leaking
  • Detecting
• Blog
• Miscellaneous

Resource

XSS

• H5SC - HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors by @cure53.
• XSS.png - A XSS mind map by @jackmasa.

SQL Injection

• HQL for pentesters

XML

• XML实体攻击 - 从内网探测到命令执行步步惊心, written by 张天琪.

Rails

• Rails 動態樣板路徑的風險, written by Shaolin.
• Rails Security, written by @qazbnm456.

AngularJS

• XSS without HTML: Client-Side Template Injection with AngularJS, written by Gareth Heyes.

Evasion

CSP

• CSP: bypassing form-action with reflected XSS, written by Detectify Labs.

JSMVC

• JavaScript MVC and Templating Frameworks, written by Mario Heiderich.

Trick

XSS

• ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else, written by Mario Heiderich.

SQL Injection

• 屌智硬之mysql不用逗号注入, written by jinglingshu.
• 见招拆招：绕过WAF继续SQL注入常用方法, written by mikey.
• MySQL Error Based SQL Injection Using EXP, written by @osandamalith.

SSRF

• SSRF in https://imgur.com/vidgif/url, written by aesteral.

PoC

JavaScript

• js-vuln-db - A collection of JavaScript engine CVEs with PoCs by @tunz.

Tool

Code Generating

• VWGen - Vulnerable Web applications Generator by @qazbnm456.

Disassembler

• plasma - Plasma is an interactive disassembler for x86/ARM/MIPS by @plasma-disassembler.
• radare2 - unix-like reverse engineering framework and commandline tools by @radare.

Fuzzing

• wfuzz - Web application bruteforcer by @xmendez.
• charsetinspect - A script that inspects multi-byte character sets looking for characters with specific user-defined properties by @hack-all-the-things.
• IPObfuscator - A simple too to convert the IP to a DWORD IP by @OsandaMalith.

Penetrating

• Burp Suite - Burp Suite is an integrated platform for performing security testing of web applications by portswigger.
• mitmproxy - An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by @mitmproxy.

Leaking

• HTTPLeaks - All possible ways, a website can leak HTTP requests by @cure53.
• dvcs-ripper - Rip web accessible (distributed) version control systems: SVN/GIT/HG... by @kost.
• DVCS-Pillage - Pillage web accessible GIT, HG and BZR repositories by @evilpacket.

Detecting

• sqlchop - [DEPRECATED] A novel SQL injection detection engine built on top of SQL tokenizing and syntax analysis by chaitin.
• retire.js - Scanner detecting the use of JavaScript libraries with known vulnerabilities by @RetireJS.
• malware-jail - Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction by @HynekPetrak.

Others

• Dnslogger - Dns Logger by @iagox86.

Blog

• Orange - This is Orange Speaking :)
• Broken Browser - Fun with Browser Vulnerabilities.
• Blog of Osanda - Security Researching and Reverse Engineering.

Miscellaneous

• awesome-bug-bounty - A comprehensive curated list of available Bug Bounty & Disclosure Programs and write-ups by @djadmin.
• bug-bounty-reference - A list of bug bounty write-up that is categorized by the bug nature by @ngalongc.
• 如何正確的取得使用者 IP ？, written by Allen Own.
• 1000php - 1000个PHP代码审计案例(2016.7以前乌云公开漏洞) by @Xyntax.

License

To the extent possible under law, Sindre Sorhus has waived all copyright and related or neighboring rights to this work.