Convert Figma logo to code with AI

qazbnm456 logoawesome-web-security

🐶 A curated list of Web Security materials and resources.

11,353
1,673
11,353
34

Top Related Projects

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

A collection of awesome penetration testing resources, tools and other shiny things

A list of web application security

A collection of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools and more.

A list of interesting payloads, tips and tricks for bug bounty hunters.

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

Quick Overview

The "awesome-web-security" repository is a curated list of web security resources, tools, and articles. It serves as a comprehensive collection of information related to various aspects of web security, including vulnerabilities, attack techniques, defense mechanisms, and best practices.

Pros

  • Extensive collection of web security resources in one place
  • Well-organized and categorized for easy navigation
  • Regularly updated with new and relevant content
  • Covers a wide range of web security topics, from basic to advanced

Cons

  • May be overwhelming for beginners due to the vast amount of information
  • Some links may become outdated over time
  • Lacks in-depth explanations or tutorials for each resource
  • Primarily focuses on listing resources rather than providing original content

Note: As this is not a code library, the code examples and getting started instructions sections have been omitted.

Competitor Comparisons

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

Pros of CheatSheetSeries

  • More comprehensive and detailed coverage of web security topics
  • Regularly updated and maintained by OWASP, a trusted authority in web security
  • Provides actionable, step-by-step guidance for implementing security best practices

Cons of CheatSheetSeries

  • Less focus on tools and resources compared to awesome-web-security
  • May be overwhelming for beginners due to its extensive and technical content
  • Primarily text-based, with fewer visual aids or interactive elements

Code Comparison

While both repositories primarily focus on documentation rather than code, CheatSheetSeries occasionally includes code snippets for implementation examples:

CheatSheetSeries:

String cleanString = ESAPI.encoder().encodeForHTML(untrustedString);

awesome-web-security typically links to external resources for code examples rather than providing them directly.

Summary

CheatSheetSeries offers in-depth, authoritative guidance on web security best practices, making it ideal for developers and security professionals seeking comprehensive information. awesome-web-security, on the other hand, serves as a curated list of resources, tools, and articles, which may be more accessible for those looking for quick references or specific tools. Both repositories complement each other, with CheatSheetSeries providing detailed knowledge and awesome-web-security offering a broader overview of available resources in the web security landscape.

A collection of awesome penetration testing resources, tools and other shiny things

Pros of awesome-pentest

  • Broader scope covering various aspects of penetration testing, not limited to web security
  • Includes tools and resources for network, wireless, and mobile pentesting
  • More comprehensive list of CTF platforms and practice resources

Cons of awesome-pentest

  • Less focused on web security specifics compared to awesome-web-security
  • May be overwhelming for beginners specifically interested in web security
  • Updates less frequently than awesome-web-security

Code Comparison

While both repositories are curated lists and don't contain significant code, they differ in their organization. Here's a comparison of their table of contents structure:

awesome-pentest:

- [Pre-engagement](#pre-engagement)
- [Information Gathering](#information-gathering)
- [Vulnerability Analysis](#vulnerability-analysis)
- [Exploitation](#exploitation)

awesome-web-security:

- [Resources](#resources)
- [XSS](#xss---cross-site-scripting)
- [SQL Injection](#sql-injection)
- [XML Security](#xml-security)

awesome-pentest follows a more general penetration testing methodology, while awesome-web-security is organized by specific web security topics and vulnerabilities.

Both repositories serve as valuable resources for security professionals, with awesome-pentest offering a broader range of topics and awesome-web-security providing more in-depth coverage of web-specific security issues.

A list of web application security

Pros of awesome-web-hacking

  • More focused on offensive security tools and techniques
  • Includes a section on bug bounty platforms and resources
  • Provides links to specific exploit databases and vulnerability scanners

Cons of awesome-web-hacking

  • Less comprehensive coverage of defensive security practices
  • Fewer resources on secure coding and development best practices
  • Limited information on web application security standards and compliance

Code comparison

While both repositories are primarily curated lists of resources rather than code repositories, they differ in their organization and content focus. Here's a brief comparison of their README structure:

awesome-web-hacking:

## Contents
- [Books](#books)
- [Documentation](#documentation)
- [Tools](#tools)
- [Vulnerability Scanners](#vulnerability-scanners)
- [Exercises](#exercises)

awesome-web-security:

## Contents
- [Intro](#intro)
- [Resources](#resources)
- [XSS](#xss---cross-site-scripting)
- [SQL Injection](#sql-injection)
- [XML Security](#xml-security)

awesome-web-security provides a more detailed breakdown of specific vulnerability types, while awesome-web-hacking focuses on broader categories of resources and tools for web hacking.

A collection of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools and more.

Pros of the-book-of-secret-knowledge

  • Broader scope, covering various IT topics beyond web security
  • Includes practical tools, commands, and resources for system administration
  • Regularly updated with community contributions

Cons of the-book-of-secret-knowledge

  • Less focused on web security specifically
  • May be overwhelming for beginners due to its extensive content
  • Lacks detailed explanations for some topics

Code Comparison

While both repositories primarily consist of curated lists and resources rather than code, here's a comparison of their README structures:

the-book-of-secret-knowledge:

## Table of Contents

- [CLI Tools](#cli-tools)
- [GUI Tools](#gui-tools)
- [Web Tools](#web-tools)

awesome-web-security:

## Contents

- [Resources](#resources)
- [Research](#research)
- [Talks](#talks)

Both repositories use similar Markdown structures for organizing content, but the-book-of-secret-knowledge tends to have more detailed categorization due to its broader scope.

A list of interesting payloads, tips and tricks for bug bounty hunters.

Pros of bugbounty-cheatsheet

  • More focused on practical bug bounty techniques and payloads
  • Organized by vulnerability types, making it easier to find specific exploits
  • Includes a section on recon techniques, which is valuable for bug hunters

Cons of bugbounty-cheatsheet

  • Less comprehensive coverage of web security topics compared to awesome-web-security
  • Fewer external resources and links to in-depth articles or tools
  • May not be as suitable for beginners looking for a broad understanding of web security

Code Comparison

bugbounty-cheatsheet example (XSS payload):

<script>alert(1)</script>
<svg/onload=alert(1)>
<img src=x onerror=alert(1)>

awesome-web-security example (Content Security Policy):

Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.google.com

Both repositories provide valuable information for web security enthusiasts and professionals. bugbounty-cheatsheet is more tailored for active bug hunters, offering quick reference payloads and techniques. awesome-web-security, on the other hand, provides a broader overview of web security topics, making it suitable for both beginners and experienced professionals looking to expand their knowledge.

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

Pros of PayloadsAllTheThings

  • More comprehensive and detailed payload examples for various attack vectors
  • Regularly updated with new techniques and payloads
  • Includes practical examples and code snippets for immediate use

Cons of PayloadsAllTheThings

  • Less focus on general web security concepts and theory
  • May be overwhelming for beginners due to the sheer volume of information
  • Lacks curated lists of external resources and tools

Code Comparison

PayloadsAllTheThings (SQL Injection example):

' UNION SELECT NULL,NULL,NULL,NULL,NULL--
' UNION SELECT @@version,NULL,NULL,NULL,NULL--
' UNION SELECT username,password,NULL,NULL,NULL FROM users--

awesome-web-security (no direct code examples, but provides links to resources):

- [SQL Injection Cheat Sheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
- [SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)

PayloadsAllTheThings offers more practical, ready-to-use payloads, while awesome-web-security focuses on curating high-quality resources. The former is better for hands-on testing, while the latter provides a broader understanding of web security concepts and best practices.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Awesome Web Security Awesome

🐶 Curated list of Web Security materials and resources.

Needless to say, most websites suffer from various types of bugs which may eventually lead to vulnerabilities. Why would this happen so often? There can be many factors involved including misconfiguration, shortage of engineers' security skills, etc. To combat this, here is a curated list of Web Security materials and resources for learning cutting edge penetration techniques, and I highly encourage you to read this article "So you want to be a web security researcher?" first.

Please read the contribution guidelines before contributing.


🌈 Want to strengthen your penetration skills?
I would recommend playing some awesome-ctfs.


If you enjoy this awesome list and would like to support it, check out my Patreon page :)
Also, don't forget to check out my repos 🐾 or say hi on my Twitter!

Contents

Digests

Forums

Introduction

XSS - Cross-Site Scripting

Prototype Pollution

CSV Injection

SQL Injection

Command Injection

ORM Injection

FTP Injection

XXE - XML eXternal Entity

CSRF - Cross-Site Request Forgery

Clickjacking

SSRF - Server-Side Request Forgery

Web Cache Poisoning

Relative Path Overwrite

Open Redirect

Security Assertion Markup Language (SAML)

Upload

Rails

AngularJS

ReactJS

SSL/TLS

Webmail

NFS

AWS

Azure

Fingerprint

Sub Domain Enumeration

Crypto

Web Shell

OSINT

DNS Rebinding

Deserialization

OAuth

JWT

Evasions

XXE

CSP

WAF

JSMVC

Authentication

Tricks

CSRF

Clickjacking

Remote Code Execution

XSS

SQL Injection

NoSQL Injection

FTP Injection

XXE

SSRF

Web Cache Poisoning

Header Injection

URL

Deserialization

OAuth

Others

Browser Exploitation

Frontend (like SOP bypass, URL spoofing, and something like that)

Backend (core of Browser implementation, and often refers to C or C++ part)

PoCs

Database

Cheetsheets

Tools

Auditing

Command Injection

Reconnaissance

OSINT - Open-Source Intelligence

  • Shodan - Shodan is the world's first search engine for Internet-connected devices by @shodanhq.
  • Censys - Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.
  • urlscan.io - Service which analyses websites and the resources they request by @heipei.
  • ZoomEye - Cyberspace Search Engine by @zoomeye_team.
  • FOFA - Cyberspace Search Engine by BAIMAOHUI.
  • NSFOCUS - THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.
  • Photon - Incredibly fast crawler designed for OSINT by @s0md3v.
  • FOCA - FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans by ElevenPaths.
  • SpiderFoot - Open source footprinting and intelligence-gathering tool by @binarypool.
  • xray - XRay is a tool for recon, mapping and OSINT gathering from public networks by @evilsocket.
  • gitrob - Reconnaissance tool for GitHub organizations by @michenriksen.
  • GSIL - Github Sensitive Information Leakage(Github敏感信息泄露)by @FeeiCN.
  • raven - raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin by @0x09AL.
  • ReconDog - Reconnaissance Swiss Army Knife by @s0md3v.
  • Databases - start.me - Various databases which you can use for your OSINT research by @technisette.
  • peoplefindThor - the easy way to find people on Facebook by [postkassen](mailto:postkassen@oejvind.dk?subject=peoplefindthor.dk comments).
  • tinfoleak - The most complete open-source tool for Twitter intelligence analysis by @vaguileradiaz.
  • Raccoon - High performance offensive security tool for reconnaissance and vulnerability scanning by @evyatarmeged.
  • Social Mapper - Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf) by @SpiderLabs.
  • espi0n/Dockerfiles - Dockerfiles for various OSINT tools by @espi0n.

Sub Domain Enumeration

Code Generating

Fuzzing

  • wfuzz - Web application bruteforcer by @xmendez.
  • charsetinspect - Script that inspects multi-byte character sets looking for characters with specific user-defined properties by @hack-all-the-things.
  • IPObfuscator - Simple tool to convert the IP to a DWORD IP by @OsandaMalith.
  • domato - DOM fuzzer by @google.
  • FuzzDB - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
  • dirhunt - Web crawler optimized for searching and analyzing the directory structure of a site by @nekmo.
  • ssltest - Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by Qualys SSL Labs.
  • fuzz.txt - Potentially dangerous files by @Bo0oM.

Scanning

  • wpscan - WPScan is a black box WordPress vulnerability scanner by @wpscanteam.
  • JoomlaScan - Free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan by @drego85.
  • WAScan - Is an open source web application security scanner that uses "black-box" method, created by @m4ll0k.
  • Nuclei - Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use by @projectdiscovery.

Penetration Testing

Offensive

XSS - Cross-Site Scripting

  • beef - The Browser Exploitation Framework Project by beefproject.
  • JShell - Get a JavaScript shell with XSS by @s0md3v.
  • XSStrike - XSStrike is a program which can fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs by @s0md3v.
  • xssor2 - XSS'OR - Hack with JavaScript by @evilcos.
  • csp evaluator - A tool for evaluating content-security-policies by Csper.

SQL Injection

  • sqlmap - Automatic SQL injection and database takeover tool.

Template Injection

  • tplmap - Code and Server-Side Template Injection Detection and Exploitation Tool by @epinna.

XXE

Cross Site Request Forgery

Server-Side Request Forgery

Leaking

Detecting

  • sqlchop - SQL injection detection engine by chaitin.
  • xsschop - XSS detection engine by chaitin.
  • retire.js - Scanner detecting the use of JavaScript libraries with known vulnerabilities by @RetireJS.
  • malware-jail - Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction by @HynekPetrak.
  • repo-supervisor - Scan your code for security misconfiguration, search for passwords and secrets.
  • bXSS - bXSS is a simple Blind XSS application adapted from cure53.de/m by @LewisArdern.
  • OpenRASP - An open source RASP solution actively maintained by Baidu Inc. With context-aware detection algorithm the project achieved nearly no false positives. And less than 3% performance reduction is observed under heavy server load.
  • GuardRails - A GitHub App that provides security feedback in Pull Requests.

Preventing

  • DOMPurify - DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG by Cure53.
  • js-xss - Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by @leizongmin.
  • Acra - Client-side encryption engine for SQL databases, with strong selective encryption, SQL injections prevention and intrusion detection by @cossacklabs.
  • Csper - A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by Csper.

Proxy

  • Charles - HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
  • mitmproxy - Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by @mitmproxy.

Webshell

Disassembler

Decompiler

DNS Rebinding

  • DNS Rebind Toolkit - DNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network (LAN) by @brannondorsey
  • dref - DNS Rebinding Exploitation Framework. Dref does the heavy-lifting for DNS rebinding by @mwrlabs
  • Singularity of Origin - It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine by @nccgroup
  • Whonow DNS Server - A malicious DNS server for executing DNS Rebinding attacks on the fly by @brannondorsey

Others

Social Engineering Database

Blogs

Twitter Users

  • @HackwithGitHub - Initiative to showcase open source hacking tools for hackers and pentesters
  • @filedescriptor - Active penetrator often tweets and writes useful articles
  • @cure53berlin - Cure53 is a German cybersecurity firm.
  • @XssPayloads - The wonderland of JavaScript unexpected usages, and more.
  • @kinugawamasato - Japanese web penetrator.
  • @h3xstream - Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.
  • @garethheyes - English web penetrator.
  • @hasegawayosuke - Japanese javascript security researcher.
  • @shhnjk - Web and Browsers Security Researcher.

Practices

Application

AWS

XSS

ModSecurity / OWASP ModSecurity Core Rule Set

Community

Miscellaneous

Code of Conduct

Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.

License

CC0

To the extent possible under law, @qazbnm456 has waived all copyright and related or neighboring rights to this work.