Home

Awesome

Awesome Web Security Awesome

<img src="https://upload.wikimedia.org/wikipedia/commons/6/61/HTML5_logo_and_wordmark.svg" align="right" width="70">

🐶 Curated list of Web Security materials and resources.

Needless to say, most websites suffer from various types of bugs which may eventually lead to vulnerabilities. Why would this happen so often? There can be many factors involved including misconfiguration, shortage of engineers' security skills, etc. To combat this, here is a curated list of Web Security materials and resources for learning cutting edge penetration techniques, and I highly encourage you to read this article "So you want to be a web security researcher?" first.

Please read the contribution guidelines before contributing.


<p align="center"><b>🌈 Want to strengthen your penetration skills?</b><br>I would recommend playing some <a href="https://github.com/apsdehal/awesome-ctf" target="_blank">awesome-ctf</a>s.</p>

If you enjoy this awesome list and would like to support it, check out my Patreon page :)<br>Also, don't forget to check out my repos 🐾 or say hi on my Twitter!

Contents

Digests

Forums

<a name="intro"></a>

Introduction

<a name="xss"></a>

XSS - Cross-Site Scripting

<a name="prototype-pollution"></a>

Prototype Pollution

<a name="csv-injection"></a>

CSV Injection

<a name="sql-injection"></a>

SQL Injection

<a name="command-injection"></a>

Command Injection

<a name="orm-injection"></a>

ORM Injection

<a name="ftp-injection"></a>

FTP Injection

<a name="xxe"></a>

XXE - XML eXternal Entity

<a name="csrf"></a>

CSRF - Cross-Site Request Forgery

<a name="clickjacking"></a>

Clickjacking

<a name="ssrf"></a>

SSRF - Server-Side Request Forgery

<a name="web-cache-poisoning"></a>

Web Cache Poisoning

<a name="relative-path-overwrite"></a>

Relative Path Overwrite

<a name="open-redirect"></a>

Open Redirect

<a name="saml"></a>

Security Assertion Markup Language (SAML)

<a name="upload"></a>

Upload

<a name="rails"></a>

Rails

<a name="angularjs"></a>

AngularJS

<a name="reactjs"></a>

ReactJS

<a name="ssl-tls"></a>

SSL/TLS

<a name="webmail"></a>

Webmail

<a name="nfs"></a>

NFS

<a name="aws"></a>

AWS

<a name="azure"></a>

Azure

<a name="fingerprint"></a>

Fingerprint

<a name="sub-domain-enumeration"></a>

Sub Domain Enumeration

<a name="crypto"></a>

Crypto

<a name="web-shell"></a>

Web Shell

<a name="osint"></a>

OSINT

<a name="dns-rebinding"></a>

DNS Rebinding

<a name="deserialization"></a>

Deserialization

<a name="oauth"></a>

OAuth

<a name="jwt"></a>

JWT

Evasions

<a name="evasions-xxe"></a>

XXE

<a name="evasions-csp"></a>

CSP

<a name="evasions-waf"></a>

WAF

<a name="evasions-jsmvc"></a>

JSMVC

<a name="evasions-authentication"></a>

Authentication

Tricks

<a name="tricks-csrf"></a>

CSRF

<a name="tricks-clickjacking"></a>

Clickjacking

<a name="tricks-rce"></a>

Remote Code Execution

<a name="tricks-xss"></a>

XSS

<a name="tricks-sql-injection"></a>

SQL Injection

<a name="tricks-nosql-injection"></a>

NoSQL Injection

<a name="tricks-ftp-injection"></a>

FTP Injection

<a name="tricks-xxe"></a>

XXE

<a name="tricks-ssrf"></a>

SSRF

<a name="tricks-web-cache-poisoning"></a>

Web Cache Poisoning

<a name="tricks-header-injection"></a>

Header Injection

<a name="tricks-url"></a>

URL

<a name="tricks-deserialization"></a>

Deserialization

<a name="tricks-oauth"></a>

OAuth

<a name="tricks-others"></a>

Others

Browser Exploitation

Frontend (like SOP bypass, URL spoofing, and something like that)

Backend (core of Browser implementation, and often refers to C or C++ part)

PoCs

<a name="pocs-database"></a>

Database

Cheetsheets

Tools

<a name="tools-auditing"></a>

Auditing

<a name="tools-command-injection"></a>

Command Injection

<a name="tools-reconnaissance"></a>

Reconnaissance

<a name="tools-osint"></a>

OSINT - Open-Source Intelligence

<a name="tools-sub-domain-enumeration"></a>

Sub Domain Enumeration

<a name="tools-code-generating"></a>

Code Generating

<a name="tools-fuzzing"></a>

Fuzzing

<a name="tools-scanning"></a>

Scanning

<a name="tools-penetration-testing"></a>

Penetration Testing

<a name="tools-offensive"></a>

Offensive

<a name="tools-xss"></a>

XSS - Cross-Site Scripting

<a name="tools-sql-injection"></a>

SQL Injection

<a name="tools-template-injection"></a>

Template Injection

<a name="tools-xxe"></a>

XXE

<a name="tools-csrf"></a>

Cross Site Request Forgery

<a name="tools-ssrf"></a>

Server-Side Request Forgery

<a name="tools-leaking"></a>

Leaking

<a name="tools-detecting"></a>

Detecting

<a name="tools-preventing"></a>

Preventing

<a name="tools-proxy"></a>

Proxy

<a name="tools-webshell"></a>

Webshell

<a name="tools-disassembler"></a>

Disassembler

<a name="tools-decompiler"></a>

Decompiler

<a name="tools-dns-rebinding"></a>

DNS Rebinding

<a name="tools-others"></a>

Others

Social Engineering Database

Blogs

Twitter Users

Practices

<a name="practices-application"></a>

Application

<a name="practices-aws"></a>

AWS

<a name="practices-xss"></a>

XSS

<a name="practices-modsecurity"></a>

ModSecurity / OWASP ModSecurity Core Rule Set

Community

Miscellaneous

Code of Conduct

Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.

License

CC0

To the extent possible under law, @qazbnm456 has waived all copyright and related or neighboring rights to this work.