HomeSecurity & Ops › Awesome Web Security

Awesome Web Security

by qazbnm456 · qazbnm456/awesome-web-security

A curated list of Web Security materials and resources.

★ 12k stars420 projects ⑂ 0 forks0 open issues
420 projects

Written by VirtueSecurity.

Written by VirtueSecurity.

CloudGoatgithub.com

Rhino Security Labs' "Vulnerable by Design" AWS infrastructure setup tool - Written by @RhinoSecurityLabs.

FLAWSflaws.cloud

Amazon AWS CTF challenge - Written by @0xdabbad00.

Misadventures in AWSlabs.f-secure.com

Written by Christian Demko.

Written by Dwight Hohnstein from Rhino Security Labs.

Written by @garethheyes.

Written by Gareth Heyes.

BadLibrarygithub.com

Vulnerable web application for training - Written by @SecureSkyTechnology.

Hackxorhackxor.net

Realistic web application hacking game - Written by @albinowax.

OopsSec Storegithub.com

Intentionally vulnerable e-commerce application built with Next.js - Written by @kOaDT.

Probably the most modern and sophisticated insecure web application - Written by @bkimminich and the @owaspjuiceshop team.

Free trainings and labs - Written by PortSwigger.

SELinux Gameselinuxgame.org

Learn SELinux by doing. Solve Puzzles, show skillz - Written by @selinuxgame.

A2SVgithub.com

Auto Scanning to SSL Vulnerability by @hahwul.

prowlergithub.com

Tool for AWS security assessment, auditing and hardening by @Alfresco.

slurpgithub.com

Evaluate the security of S3 buckets by @hehnope.

Written by @spengietz.

Written by @rhinobenjamin.

Written by RET2 SYSTEMS, INC.

Written by Доктор Веб.

Written by @tjbecker.

Written by Diary of a reverse-engineer.

Written by @halbecaf.

Written by @wanderingglitch.

Written by SecuriTeam Secure Disclosure (SSD).

Written by @holynop.

0Day Labsblog.0daylabs.com

Awesome bug-bounty and challenges writeups.

Blog of Osandaosandamalith.com

Security Researching and Reverse Engineering.

Vulnerability disclosures and rambles on application security.

Broken Browserbrokenbrowser.com

Fun with Browser Vulnerabilities.

James Kettlealbinowax.skeletonscribe.net

Head of Research at PortSwigger Web Security.

leavesongsleavesongs.com

China's talented web penetrator.

n0tr00tn0tr00t.com

~# n0tr00t Security Team.

OpnSecopnsec.com

Open Mind Security!.

Orangeblog.orange.tw

Taiwan's talented web penetrator.

RIPS Technologiesblog.ripstech.com

Write-ups for PHP vulnerabilities.

Scrutinydatarift.blogspot.tw

Internet Security through Web Browsers by Dhiraj Mishra.

Written by @shhnjk.

Written by Detectify Labs.

Written by portswigger.

GitHub's CSP journeygithubengineering.com

Written by @ptoomey3.

GitHub's post-CSP journeygithubengineering.com

Written by @ptoomey3.

Neatly bypassing CSPlab.wallarm.com

Written by Wallarm.

TWITTER XSS + CSP BYPASSpaulosyibelo.com

Written by Paulos Yibelo.

Written by @riyazwalikar.

Written by Twosecurity.

Written by @swisskyrepo.

Wiping Out CSRFmedium.com

Written by @jrozner.

Written by Andy.

Written by @swisskyrepo.

Written by George Mauer.

Written by @uppusaikiran.

Written by @brutelogic.

Clickjackingimperva.com

Written by Imperva.

Written by @raushanraj65039.

Written by Mario Heiderich.

VWGengithub.com

Vulnerable Web applications Generator by @qazbnm456.

commixgithub.com

Automated All-in-One OS command injection and exploitation tool by @commixproject.

Written by @payloadbox.

Written by @swisskyrepo.

Written by @drigg3r.

Redditreddit.com
Stack Overflowstackoverflow.com
XSRFProbegithub.com

The Prime CSRF Audit & Exploitation Toolkit by @0xInfection.

Applied Crypto Hardeningbettercrypto.org

Written by The bettercrypto.org Team.

Written by J.M Porup.

DNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network (LAN) by @brannondorsey.

drefgithub.com

DNS Rebinding Exploitation Framework. Dref does the heavy-lifting for DNS rebinding by @mwrlabs.

Written by @radekk.

It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine by @nccgroup.

A malicious DNS server for executing DNS Rebinding attacks on the fly by @brannondorsey.

awesome-cve-pocgithub.com

Curated list of CVE PoCs by @qazbnm456.

Exploit Databaseexploit-db.com

ultimate archive of Exploits, Shellcode, and Security Papers by Offensive Security.

js-vuln-dbgithub.com

Collection of JavaScript engine CVEs with PoCs by @tunz.

Some-PoC-oR-ExPgithub.com

各种漏洞poc、Exp的收集或编写 by @coffeehb.

SPLOITUSsploitus.com

Exploits & Tools Search Engine by @ibo0om.

uxss-dbgithub.com

Collection of UXSS CVEs with PoCs by @Metnew.

CFRbenf.org

Another java decompiler by @LeeAtBenf.

Written by @pwntester.

Written by CRISTIAN CORNEA.

bXSSgithub.com

bXSS is a simple Blind XSS application adapted from cure53.de/m by @LewisArdern.

GuardRailsgithub.com

A GitHub App that provides security feedback in Pull Requests.

malware-jailgithub.com

Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction by @HynekPetrak.

OpenRASPgithub.com

An open source RASP solution actively maintained by Baidu Inc. With context-aware detection algorithm the project achieved nearly no false positives. And less than 3% performance reduction is observed under heavy server load.

repo-supervisorgithub.com

Scan your code for security misconfiguration, search for passwords and secrets.

retire.jsgithub.com

Scanner detecting the use of JavaScript libraries with known vulnerabilities by @RetireJS.

sqlchopsqlchop.chaitin.cn

SQL injection detection engine by chaitin.

xsschopxsschop.chaitin.cn

XSS detection engine by chaitin.

CTF Field Guidetrailofbits.github.io

Written by Trail of Bits.

Hacker101hacker101.com

Written by hackerone.

Infosec Newbiesneakymonkey.net

Written by Mark Robinson.

Written by @swisskyrepo.

Written by PortSwigger.

The Magic of Learningbitvijays.github.io

Written by @bitvijays.

tl;dr sectldrsec.com

Weekly summary of top security tools, blog posts, and security research.

Written by Netsparker.

Iaitōgithub.com

Qt and C++ GUI for radare2 reverse engineering framework by @hteso.

plasmagithub.com

Plasma is an interactive disassembler for x86/ARM/MIPS by @plasma-disassembler.

radare2github.com

Unix-like reverse engineering framework and commandline tools by @radare.

Written by Timothy Morgan.

Written by Alexander Klink.

Written by @a66at and Alexey Osipov.

Written by Ivan Novikov.

Dark Readingdarkreading.com

Connecting The Information Security Community.

HackDigen.hackdig.com

Dig high-quality web security articles for hacker.

Phrack Magazinephrack.org

Ezine written by and for hackers.

Security Weeklysecurityweekly.com

The security podcast network.

The Hacker Newsthehackernews.com

Security in a serious way.

The Registertheregister.co.uk

Biting the hand that feeds IT.

Written by @rafaybaloch.

Written by aaj at google.com and mkwst at google.com.

Written by James Lee.

Written by portswigger.

Written by Michał Bentkowski.

Written by @filedescriptor.

Written by jameshfisher.

Written by @shhnjk.

charsetinspectgithub.com

Script that inspects multi-byte character sets looking for characters with specific user-defined properties by @hack-all-the-things.

dirhuntgithub.com

Web crawler optimized for searching and analyzing the directory structure of a site by @nekmo.

domatogithub.com

DOM fuzzer by @google.

fuzz.txtgithub.com

Potentially dangerous files by @Bo0oM.

FuzzDBgithub.com

Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.

IPObfuscatorgithub.com

Simple tool to convert the IP to a DWORD IP by @OsandaMalith.

ssltestssllabs.com

Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by Qualys SSL Labs.

wayparamgithub.com

Cross-platform Python CLI that fetches historical URLs from the Wayback CDX API and outputs normalized parameterized URLs for fuzzing, by @aleff-github.

wfuzzgithub.com

Web application bruteforcer by @xmendez.

Written by Timothy Morgan.

Written by Mario Heiderich.

CSS-Keylogginggithub.com

Chrome extension and Express server that exploits keylogging abilities of CSS by @maxchehab.

DVCS-Pillagegithub.com

Pillage web accessible GIT, HG and BZR repositories by @evilpacket.

dvcs-rippergithub.com

Rip web accessible (distributed) version control systems: SVN/GIT/HG... by @kost.

gitleaksgithub.com

Searches full repo history for secrets and keys by @zricethezav.

GitMinergithub.com

Tool for advanced mining for content on Github by @UnkL4b.

HTTPLeaksgithub.com

All possible ways, a website can leak HTTP requests by @cure53.

keyFindergithub.com

Chrome extension that passively scans web pages for leaked API keys, tokens, and credentials across 10 attack surfaces using 80+ detection patterns and Shannon-entropy analysis, by @momenbasel.

LinkFindergithub.com

Python script that finds endpoints in JavaScript files by @GerbenJavado.

pwngitmanagergithub.com

Git manager for pentesters by @allyshka.

snallygastergithub.com

Tool to scan for secret files on HTTP servers by @hannob.

Written by Ezequiel Pereira.

Written by @gregose.

Written by @slashcrypto.

Written by @0daywork.

Comprehensive curated list of available Bug Bounty & Disclosure Programs and write-ups by @djadmin.

Written by PwnDizzle.

List of bug bounty write-up that is categorized by the bug nature by @ngalongc.

Written by Ruslan Habalov.

Written by Belfer Center for Science and International Affairs.

Written by @clr2of8.

EQGRPgithub.com

Decrypted content of eqgrp-auction-file.tar.xz by @x0rz.

Written by Chris Patten, Tom Steele.

Google VRP and Unicornssites.google.com

Written by Daniel Stelter-Gliese.

Hands-on introduction to web application security fundamentals by Malcolm McDonald (Manning).

Written by David Scrobonia.

Written by @cj.fairhead.

htb-writeupsgithub.com

Comprehensive Hack The Box writeup collection covering 75+ web challenges including XSS, SQLi, SSTI, SSRF, and deserialization, by @momenbasel.

Written by Brian Wallace.

Information Security Reference That Doesn't Suck by @rmusser01.

Internet of Things Scanneriotscanner.bullguard.com

Check if your internet-connected devices at home are public on Shodan by BullGuard.

Written by @itsC0rg1, @jmkeads and @matir.

Written by Mariem.

notesgithub.com

Some public notes by @ChALkeR.

Penetration Testing and Exploit Dev CheatSheet.

Written by Gwen.

Written by @jhaddix.

Written by @t0nk42.

Written by Jayson.

Written by @AntoGarand.

Series of tutorials to install, configure and tune ModSecurity and the Core Rule Set - Written by @ChrFolini.

NFS PENETRATION TESTING ACADEMYpentestacademy.wordpress.com

Written by PENETRATION ACADEMY.

Written by Pete.

Written by @AmolBaikar.

Written by @PhilippeDeRyck.

HQL for pentestersblog.h3xstream.com

Written by @h3xstream.

ORM Injectionslideshare.net

Written by Simone Onofri.

Written by Mikhail Egorov.

Written by Philippe Lin.

Written by Timur Daudpota.

Censyscensys.io

Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.

Various databases which you can use for your OSINT research by @technisette.

Dockerfiles for various OSINT tools by @espi0n.

FOCAgithub.com

FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans by ElevenPaths.

FOFAfofa.so

Cyberspace Search Engine by BAIMAOHUI.

gitrobgithub.com

Reconnaissance tool for GitHub organizations by @michenriksen.

GSILgithub.com

Github Sensitive Information Leakage(Github敏感信息泄露)by @FeeiCN.

OSINT and security extensions for the Marshall privacy browser, providing reconnaissance and security-testing plugins by @bad-antics.

NSFOCUSnti.nsfocus.com

THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.

OpenBucketsopenbuckets.io

Search engine for misconfigured public cloud storage buckets across any provider.

OSINT Projectsosintprojects.com

Free web toolkit for WHOIS/RDAP, DNS, IP geolocation, SSL certificate inspection and Certificate Transparency subdomain discovery.

peoplefindThorpeoplefindthor.dk

the easy way to find people on Facebook by postkassen.

Photongithub.com

Incredibly fast crawler designed for OSINT by @s0md3v.

Raccoongithub.com

High performance offensive security tool for reconnaissance and vulnerability scanning by @evyatarmeged.

ravengithub.com

raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin by @0x09AL.

ReconDoggithub.com

Reconnaissance Swiss Army Knife by @s0md3v.

Shodanshodan.io

Shodan is the world's first search engine for Internet-connected devices by @shodanhq.

Social Mappergithub.com

Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf) by @SpiderLabs.

SpiderFootspiderfoot.net

Open source footprinting and intelligence-gathering tool by @binarypool.

tinfoleakgithub.com

The most complete open-source tool for Twitter intelligence analysis by @vaguileradiaz.

urlscan.iourlscan.io

Service which analyses websites and the resources they request by @heipei.

xraygithub.com

XRay is a tool for recon, mapping and OSINT gathering from public networks by @evilsocket.

ZoomEyezoomeye.org

Cyberspace Search Engine by @zoomeyeteam.

Written by s0cket7.

Written by @payloadbox.

Written by @swisskyrepo.

cefdebuggithub.com

Minimal code to connect to a CEF debugger by @taviso.

ctftoolgithub.com

Interactive CTF Exploration Tool by @taviso.

CyberChefgithub.com

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis - by @GCHQ.

Dnsloggerwiki.skullsecurity.org

DNS Logger by @iagox86.

Written by @epidemics-scepticism.

ntlmchallengergithub.com

Parse NTLM over HTTP challenge messages by @b17zr.

Written by phithon.

Written by @signalchaos.

Astragithub.com

Automated Security Testing For REST API's by @flipkart-incubator.

awspwngithub.com

A collection of AWS penetration testing junk by @dagrz.

Burp Suiteportswigger.net

Burp Suite is an integrated platform for performing security testing of web applications by portswigger.

Darkmoongithub.com

Open source autonomous AI penetration testing platform that orchestrates 80+ offensive tools via Markdown playbooks and MCP across web, cloud, Active Directory and Kubernetes, with an evidence trail per finding by @ASCIT31.

grayhatwarfarebuckets.grayhatwarfare.com

Public buckets by grayhatwarfare.

numasecgithub.com

AI-driven penetration-testing platform that coordinates 10 agents and 38 vulnerability scanners covering OWASP Top 10, by @FrancescoStabile.

TIDoS-Frameworkgithub.com

A comprehensive web application audit framework to cover up everything from Reconnaissance and OSINT to Vulnerability Analysis by @tID.

Acragithub.com

Client-side encryption engine for SQL databases, with strong selective encryption, SQL injections prevention and intrusion detection by @cossacklabs.

BunkerWebbunkerweb.io

A next-generation open-source Web Application Firewall built on nginx, maintained by Bunkerity.

CrowdSeccrowdsec.net

Open-source collaborative IPS written in Go that analyzes visitor behavior and shares threat signals across a community of operators, maintained by CrowdSec.

Cspercsper.io

A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by Csper.

DOMPurifygithub.com

DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG by Cure53.

FCaptchagithub.com

Self-hosted CAPTCHA with behavioral analysis, vision-AI agent detection, headless-browser fingerprinting, and SHA-256 proof-of-work, maintained by WebDecoy.

js-xssgithub.com

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by @leizongmin.

Laravel CSP Generatorcsp-generator.shakiltech.com

Interactive Content Security Policy builder for Laravel that outputs ready-to-use PHP middleware with nonce support and violation reporting, by @itxshakil.

Pompelmigithub.com

In-process file-upload security middleware for Node.js that scans untrusted uploads before storage to detect malware, MIME spoofing, and risky archives, maintained by pompelmi.

UUSEC WAFgithub.com

An open-source web application firewall and API security gateway maintained by UUCORP.

verifyfetchgithub.com

Browser-side integrity verification and resumable downloads for large files using SRI hashes, defending against CDN compromise and supply-chain attacks, by @hamzaydia.

WebDecoygithub.com

Zero-configuration WordPress bot-detection plugin combining WebDriver detection, headless-browser fingerprinting, behavioral analysis, and SHA-256 proof-of-work, maintained by WebDecoy.

Written by @securitymb.

Written by @HoLyVieR.

Written by @po6ix.

Charlescharlesproxy.com

HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

mitmproxygithub.com

Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by @mitmproxy.

Official Rails Security Guideguides.rubyonrails.org

Written by Rails team.

Written by @qazbnm456.

Rails SQL Injectionrails-sqli.org

Written by @presidentbeef.

Written by @brunofacca.

Written by Daniel LeCheminant.

Written by The Morning Paper.

Written by Mitsui Bussan Secure Directions, Inc..

Written by Ezequiel Pereira.

Written by @yu5k3.

Written by Ambionics Security.

Written by RIPS Technologies.

Written by @iblue.

Written by @capacitorset.

Poor RichFacescodewhitesec.blogspot.com

Written by CODE WHITE.

Written by @blaklis.

Written by Badcode@Knownsec 404 Team.

Written by Orange.

Written by TomNomNom.

Written by @osandamalith.

Written by @payloadbox.

Written by @swisskyrepo.

Written by Tarlogic.

Written by @denandz.

Written by @netsparker.

Written by Zombiehelp54.

Written by @LightOS.

SQL Injection Wikisqlwiki.netspi.com

Written by NETSPI.

sqlmapgithub.com

Automatic SQL injection and database takeover tool.

Written by @Hakky54.

Written by APTIVE.

Written by Gwen.

Written by @themiddleblue.

Written by aesteral.

SSRF Tipsblog.safebuff.com

Written by xl7dev.

Written by @swisskyrepo.

SSRF bible. Cheatsheetdocs.google.com

Written by Wallarm.

Fraygithub.com

Open-source WAF bypass and security-testing toolkit with 6,300+ payloads across OWASP categories, AI-assisted evasion engine, 27-check reconnaissance pipeline, and OWASP hardening audit, by @dalisecurity.

JoomlaScangithub.com

Free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan by @drego85.

Nucleigithub.com

Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use by @projectdiscovery.

SecuriToolsecuritool.js.org

Free online collection of 29 client-side web security tools: web auditor, JWT attacker/decoder, CVE search, CSP evaluator, email security checker (SPF/DKIM/DMARC), subdomain scanner, and more. 100% client-side, privacy-first, open source by @ReplikanteK.

Trust Scangithub.com

URL security scanner combining threat intelligence (URLhaus, PhishTank, Spamhaus) with 40+ scam and phishing pattern detection by @undeadlist.

Vigoliumgithub.com

High-fidelity vulnerability scanner fusing agentic AI with native speed, modularity, and precision, maintained by @j3ssie.

WAScangithub.com

Is an open source web application security scanner that uses "black-box" method, created by @m4ll0k.

wpscangithub.com

WPScan is a black box WordPress vulnerability scanner by @wpscanteam.

ZAP by Checkmarxzaproxy.org

Open-source web application security scanner maintained by the ZAP Core Team.

ZeroTrustgithub.com

Privacy-first Chrome extension that analyzes website security locally with on-device AI (WebGPU), producing trust scores from HTTPS, phishing, malicious-script, and cookie-compliance signals, by @sattyamjjain.

Written by epi.

Written by @swisskyrepo.

Open redirect/SSRF payload generator by intigriti.

haveibeenpwnedhaveibeenpwned.com

Check if you have an account that has been compromised in a data breach by Troy Hunt.

Hudson Rockhudsonrock.com

Check if your email or domain was compromised by infostealer malware, maintained by Hudson Rock.

AQUATONEgithub.com

Tool for Domain Flyovers by @michenriksen.

Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID to search certificate(s) by @crtsh.

Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system by @google.

domainanalyzergithub.com

Analyze the security of any domain by finding all the information possible by @eldraco.

EyeWitnessgithub.com

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible by @ChrisTruncer.

GSDFgithub.com

Domain searcher named GoogleSSLdomainFinder by @We5ter.

subDomainsBrutegithub.com

A simple and fast sub domain brute tool for pentesters by @lijiejie.

Sublist3rgithub.com

Sublist3r is a multi-threaded sub-domain enumeration tool for penetration testers by @aboul3la.

Written by Patrik Hudak.

Searching for domain information by VirusTotal.

tplmapgithub.com

Code and Server-Side Template Injection Detection and Exploitation Tool by @epinna.

@cure53berlintwitter.com

Cure53 is a German cybersecurity firm.

@filedescriptortwitter.com

Active penetrator often tweets and writes useful articles.

@garethheyestwitter.com

English web penetrator.

@h3xstreamtwitter.com

Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.

@HackwithGitHubtwitter.com

Initiative to showcase open source hacking tools for hackers and pentesters.

@hasegawayosuketwitter.com

Japanese javascript security researcher.

@kinugawamasatotwitter.com

Japanese web penetrator.

@shhnjktwitter.com

Web and Browsers Security Researcher.

@XssPayloadstwitter.com

The wonderland of JavaScript unexpected usages, and more.

Written by Xudong Zheng.

Sergey Bobrovblog.blackfan.ru

.

Some Problems Of URLsnoncombatant.org

Written by Chris Palmer.

Written by Haboob Team.

Written by @swisskyrepo.

Written by @d0znpp.

Written by @albinowax.

Written by Wallarm.

Written by @swisskyrepo.

Written by @albinowax.

Written by @nullbind.

Written by Jacob Baines.

Written by Robin Peraglie.

nanogithub.com

Family of code golfed PHP shells by @s0md3v.

PhpSploitgithub.com

Full-featured C2 framework which silently persists on webserver via evil PHP oneliner by @nil0x42.

reverse-shellgithub.com

Reverse Shell as a Service by @lukechilds.

Reverse Shell Manager via Terminal @WangYihang.

webshellgithub.com

This is a webshell open source project by @tennc.

Webshell-Snipergithub.com

Manage your website via terminal by @WangYihang.

Weevelygithub.com

Weaponized web shell by @epinna.

Written by @vinodsparrow.

Series of XSS challenges - Written by @steike.

Written by Michał Bentkowski.

DOM XSS – auth.uber.comstamone-bug-bounty.blogspot.tw

Written by StamOne.

Written by Sebastian Lekies, Krzysztof Kotowicz, and Eduardo Vela.

Written by Jorge Lajara.

is filtered ?twitter.com

Written by @strukt93.

Complex 16-Level XSS Challenge held in summer 2014 (+4 Hidden Levels) - Written by @cure53.

Written by Enguerran Gillier.

Uber XSS via Cookiezhchbin.github.io

Written by zhchbin.

XSS Challengesxss-quiz.int21h.jp

Series of XSS challenges - Written by yamagata21.

XSS gamexss-game.appspot.com

Google XSS Challenge - Written by Google.

Written by Michał Bentkowski.

Written by @garethheyes.

AwesomeXSSgithub.com

Written by @s0md3v.

beefgithub.com

The Browser Exploitation Framework Project by beefproject.

C.XSS Guideexcess-xss.com

Written by @JakobKallin and Irene Lobo Valbuena.

A tool for evaluating content-security-policies by Csper.

H5SCgithub.com

Written by @cure53.

JShellgithub.com

Get a JavaScript shell with XSS by @s0md3v.

Hands-on guide to implementing Content Security Policy in Laravel — nonce lifecycle, Vite and Livewire integration, violation reporting, and a pre-enforcement checklist, by @itxshakil.

Written by @payloadbox.

Written by @swisskyrepo.

Written by Paulos Yibelo.

XSS.pnggithub.com

Written by @jackmasa.

xssor2github.com

XSS'OR - Hack with JavaScript by @evilcos.

XSStrikegithub.com

XSStrike is a program which can fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs by @s0md3v.

Written by Philippe Arteau.

Written by @SpiderSec.

dtd-findergithub.com

List DTDs and generate XXE payloads using those local DTDs by @GoSecure.

Written by Arseniy Sharoglazov.

Written by Arseniy Sharoglazov.

Written by Antti Rantasaari.

Written by Renaud Dubourguais.

Written by Timothy D. Morgan.

Exfiltration using FTP protocol - Written by Ivan Novikov.

Written by @payloadbox.

Written by various contributors.

Written by portswigger.

Written by Timothy D. Morgan and Omar Al Ibrahim.

XXEphonexicum.github.io

Written by @phonexicum.

↵ to searchesc to close
awesomelist.dev