awesome-web-security/README.md

24 KiB
Raw Blame History

Awesome Web Security Awesome

🐶 Curated list of Web Security materials and resources.

Needless to say, most of websites on-line are suffered from various type of bugs, which might eventually lead to vulnerabilities. Why would this happen so often? Many factors can be involved, including misconfiguration, shortage of engineers' security skills, and etc. Therefore, here is the curated list of Web Security materials and resources for learning the cutting edge penetrating techniques.

Please read the contribution guidelines before contributing.


🌈 Want to strengthen your penetration skills?
I would recommend to play some awesome-ctfs.


Check out my repos 🐾 or say hi on my Twitter.

Contents

Forums

  • Drops (backup) - Drops was known as a famous knowledge base for hacking technology.
  • Paper from Seebug - Knowledge base for hacking technology built by Seebug.
  • Freebuf - Freebuf is the most popular forum in China for exchanging and sharing hacking technology.
  • 安全脉搏 - Blog for Security things.

Resources

Introductions

XSS

SQL Injection

XML

XXE

CSRF

SSRF

Rails

AngularJS

SSL/TLS

Webmail

AWS

Fingerprint

Books

Evasions

CSP

WAF

JSMVC

Authentication

Tricks

Remote Code Execution

XSS

SQL Injection

SSRF

Header Injection

URL

Others

Browser Exploitation

PoCs

JavaScript

Tools

Reconnaissance

  • Censys - Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.
  • urlscan.io - Service which analyses websites and the resources they request by @heipei.
  • Certificate Transparency - Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system by @google.

Code Generating

Fuzzing

Penetrating

  • Burp Suite - Burp Suite is an integrated platform for performing security testing of web applications by portswigger.
  • mitmproxy - Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by @mitmproxy.

Leaking

Detecting

  • sqlchop - [DEPRECATED] Novel SQL injection detection engine built on top of SQL tokenizing and syntax analysis by chaitin.
  • retire.js - Scanner detecting the use of JavaScript libraries with known vulnerabilities by @RetireJS.
  • malware-jail - Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction by @HynekPetrak.

Preventing

  • js-xss - Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by @leizongmin.

Webshell

Disassembler

Others

  • Dnslogger - DNS Logger by @iagox86.
  • CyberChef - The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis - by @GCHQ.

Social Engineering Database

use at your own risk

Blogs

Twitter Users

  • @filedescriptor - Active penetrator often tweets and writes useful articles
  • @cure53berlin - Cure53 is a German cybersecurity firm.
  • @XssPayloads - The wonderland of JavaScript unexpected usages, and more.
  • @kinugawamasato - Japanese web penetrator.
  • @h3xstream - Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.
  • @garethheyes - English web penetrator.

Practices

AWS

XSS

Community

Miscellaneous

License

CC0

To the extent possible under law, @qazbnm456 has waived all copyright and related or neighboring rights to this work.