awesome-web-hacking

This list is for anyone wishing to learn about web application security but do not have a starting point.

You can help by sending Pull Requests to add more information.

If you're not inclined to make PRs you can tweet me at @infoslack

Books
Documentation
Tools
Cheat Sheets
Docker
Vulnerabilities
Courses
Online Hacking Demonstration Sites
Labs
SSL
Security Ruby on Rails

Books

http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/8126533404/ The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
http://www.amazon.com/Hacking-Web-Apps-Preventing-Application/dp/159749951X/ Hacking Web Apps: Detecting and Preventing Web Application Security Problems
http://www.amazon.com/Hacking-Exposed-Web-Applications-Third/dp/0071740643/ Hacking Exposed Web Applications
http://www.amazon.com/SQL-Injection-Attacks-Defense-Second/dp/1597499633/ SQL Injection Attacks and Defense
http://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886/ The Tangled WEB: A Guide to Securing Modern Web Applications
http://www.amazon.com/Web-Application-Obfuscation-Evasion-Filters/dp/1597496049/ Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'
http://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/ XSS Attacks: Cross Site Scripting Exploits and Defense
http://www.amazon.com/Browser-Hackers-Handbook-Wade-Alcorn/dp/1118662091/ The Browser Hacker’s Handbook
http://www.amazon.com/Basics-Web-Hacking-Techniques-Attack/dp/0124166008/ The Basics of Web Hacking: Tools and Techniques to Attack the Web
http://www.amazon.com/Web-Penetration-Testing-Kali-Linux/dp/1782163166/ Web Penetration Testing with Kali Linux
http://www.amazon.com/Web-Application-Security-Beginners-Guide/dp/0071776168/ Web Application Security, A Beginner's Guide
https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/ Hacking: The Art of Exploitation
https://www.crypto101.io/ - Crypto 101 is an introductory course on cryptography
http://www.offensive-security.com/metasploit-unleashed/ - Metasploit Unleashed
http://www.cl.cam.ac.uk/~rja14/book.html - Security Engineering
https://www.feistyduck.com/library/openssl-cookbook/ - OpenSSL Cookbook
https://www.manning.com/books/real-world-cryptography - Learn and apply cryptographic techniques.
https://www.manning.com/books/making-sense-of-cyber-security - A guide to the key concepts, terminology, and technologies of cybersecurity perfect for anyone planning or implementing a security strategy.
https://www.manning.com/books/cyber-security-career-guide - Kickstart a career in cyber security by learning how to adapt your existing technical and non-technical skills.
https://www.manning.com/books/secret-key-cryptography - A book about cryptographic techniques and Secret Key methods.
https://www.manning.com/books/application-security-program-handbook - This practical book is a one-stop guide to implementing a robust application security program.
https://www.manning.com/books/cyber-threat-hunting - Practical guide to cyber threat hunting.
https://nostarch.com/bug-bounty-bootcamp - Bug Bounty Bootcamp
https://nostarch.com/hacking-apis - Hacking APIs
https://www.manning.com/books/grokking-web-application-security - A book about building web apps that are ready for and resilient to any attack.

Documentation

https://www.owasp.org/ - Open Web Application Security Project
http://www.pentest-standard.org/ - Penetration Testing Execution Standard
http://www.binary-auditing.com/ - Dr. Thorsten Schneider’s Binary Auditing
https://appsecwiki.com/ - Application Security Wiki is an initiative to provide all Application security related resources to Security Researchers and developers at one place.
AppSec Santa - Independent comparison of 129+ web application security tools across SAST, DAST, SCA, and more.

Tools

https://github.com/bad-antics/nullsec-linux - NullSec Linux - Security distribution with pre-configured web application testing tools
https://github.com/bad-antics/nullsec-webfuzz - NullSec WebFuzz - Web application fuzzing framework
https://www.deepinfo.com/ - Deepinfo Attack Surface Platform discovers all your digital assets, monitors them 24/7, detects any issues, and notifies you quickly so you can take immediate action.
- https://github.com/bountyyfi/lonkero - Enterprise-grade web vulnerability scanner with 60+ attack modules, built in Rust for penetration testing and security assessments.
https://spyse.com/ - OSINT search engine that provides fresh data about the entire web, storing all data in its own DB, interconnect finding data and has some cool features.
http://www.metasploit.com/ - World's most used penetration testing software
https://findsubdomains.com - Online subdomains scanner service with lots of additional data. works using OSINT.
https://github.com/bjeborn/basic-auth-pot HTTP Basic Authentication honeyPot.
http://www.arachni-scanner.com/ - Web Application Security Scanner Framework
https://github.com/sullo/nikto - Nikto web server scanner
http://www.tenable.com/products/nessus-vulnerability-scanner - Nessus Vulnerability Scanner
http://www.portswigger.net/burp/intruder.html - Burp Intruder is a tool for automating customized attacks against web apps.
http://www.openvas.org/ - The world's most advanced Open Source vulnerability scanner and manager.
https://github.com/iSECPartners/Scout2 - Security auditing tool for AWS environments
https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project - Is a multi threaded java application designed to brute force directories and files names on web/application servers.
https://www.owasp.org/index.php/ZAP - The Zed Attack Proxy is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
https://github.com/tecknicaltom/dsniff - dsniff is a collection of tools for network auditing and penetration testing.
https://github.com/WangYihang/Webshell-Sniper - Manage your webshell via terminal.
https://github.com/DanMcInerney/dnsspoof - DNS spoofer. Drops DNS responses from the router and replaces it with the spoofed DNS response
https://github.com/trustedsec/social-engineer-toolkit - The Social-Engineer Toolkit (SET) repository from TrustedSec
https://github.com/sqlmapproject/sqlmap - Automatic SQL injection and database takeover tool
https://github.com/beefproject/beef - The Browser Exploitation Framework Project
http://w3af.org/ - w3af is a Web Application Attack and Audit Framework
https://github.com/espreto/wpsploit - WPSploit, Exploiting Wordpress With Metasploit
https://vulert.com/ - Vulert secures software by detecting vulnerabilities in open-source dependencies—without accessing your code. It supports Js, PHP, Java, Python, and more.
https://github.com/WangYihang/Reverse-Shell-Manager - Reverse shell manager via terminal.
https://github.com/RUB-NDS/WS-Attacker - WS-Attacker is a modular framework for web services penetration testing
https://github.com/wpscanteam/wpscan - WPScan is a black box WordPress vulnerability scanner
http://sourceforge.net/projects/paros/ Paros proxy
https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project Web Scarab proxy
https://code.google.com/p/skipfish/ Skipfish, an active web application security reconnaissance tool
http://www.acunetix.com/vulnerability-scanner/ Acunetix Web Vulnerability Scanner
https://cystack.net/ CyStack Web Security Platform
http://www-03.ibm.com/software/products/en/appscan IBM Security AppScan
https://www.netsparker.com/web-vulnerability-scanner/ Netsparker web vulnerability scanner
http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/index.html HP Web Inspect
https://github.com/sensepost/wikto Wikto - Nikto for Windows with some extra features
http://samurai.inguardians.com Samurai Web Testing Framework
https://code.google.com/p/ratproxy/ Ratproxy
http://www.websecurify.com Websecurify
http://sourceforge.net/projects/grendel/ Grendel-scan
https://tools.kali.org/web-applications/gobuster Directory/file and DNS busting tool written in Go
http://www.edge-security.com/wfuzz.php Wfuzz
http://wapiti.sourceforge.net wapiti
https://github.com/neuroo/grabber Grabber
https://subgraph.com/vega/ Vega
http://websecuritytool.codeplex.com Watcher passive web scanner
http://xss.codeplex.com x5s XSS and Unicode transformations security testing assistant
http://www.beyondsecurity.com/avds AVDS Vulnerability Assessment and Management
http://www.golismero.com Golismero
http://www.ikare-monitoring.com IKare
http://www.nstalker.com N-Stalker X
https://www.rapid7.com/products/nexpose/index.jsp Nexpose
http://www.rapid7.com/products/appspider/ App Spider
http://www.milescan.com ParosPro
https://www.qualys.com/enterprises/qualysguard/web-application-scanning/ Qualys Web Application Scanning
http://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/ Retina
https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Xenotix XSS Exploit Framework
https://github.com/future-architect/vuls Vulnerability scanner for Linux, agentless, written in golang.
https://github.com/rastating/wordpress-exploit-framework A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.
http://www.xss-payloads.com/ XSS Payloads to leverage XSS vulnerabilities, build custom payloads, practice penetration testing skills.
https://github.com/joaomatosf/jexboss JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool
https://github.com/commixproject/commix Automated All-in-One OS command injection and exploitation tool
https://github.com/pathetiq/BurpSmartBuster A Burp Suite content discovery plugin that add the smart into the Buster!
https://github.com/GoSecure/csp-auditor Burp and ZAP plugin to analyze CSP headers
https://github.com/ffleming/timing_attack Perform timing attacks against web applications
https://github.com/lalithr95/fuzzapi Fuzzapi is a tool used for REST API pentesting
https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)
https://github.com/nccgroup/wssip Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.
https://github.com/PalindromeLabs/STEWS Tool suite for WebSocket discovery, fingerprinting, and vulnerability detection
https://github.com/tijme/angularjs-csti-scanner Automated client-side template injection (sandbox escape/bypass) detection for AngularJS (ACSTIS).
https://reshift.softwaresecured.com A source code analysis tool for detecting and managing Java security vulnerabilities.
https://encoding.tools Web app for transforming binary data and strings, including hashes and various encodings. GPLv3 offline version available.
https://gchq.github.io/CyberChef/ A "Cyber Swiss Army Knife" for carrying out various encodings and transformations of binary data and strings.
https://github.com/urbanadventurer/WhatWeb WhatWeb - Next generation web scanner
https://www.shodan.io/ Shodan - The search engine for find vulnerable servers
https://github.com/WangYihang/Webshell-Sniper A webshell manager via terminal
https://github.com/nil0x42/phpsploit PhpSploit - Full-featured C2 framework which silently persists on webserver via evil PHP oneliner
https://webhint.io/ - webhint - webhint is a customizable linting tool that helps you improve your site's accessibility, speed, cross-browser compatibility, and more by checking your code for best practices and common errors.
https://gtfobins.github.io/ - gtfobins - GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
https://github.com/HightechSec/git-scanner git-scanner - A tool for bug hunting or pentesting for targeting websites that have open .git repositories available in public
Web Application Exploitation @ Rawsec Inventory - Complete list of Web pentesting tools
Cyclops is a novel browser that can detect vulnerability automatically - Cyclops is a web browser with XSS detection feature
https://caido.io/ - Web proxy
https://github.com/assetnote/kiterunner - API discovery
https://github.com/owasp-amass/amass - domain recon
https://columbus.elmasy.com/ - Columbus Project is an advanced subdomain discovery service with fast, powerful and easy to use API.
BadUSB Script To Exfiltrate Passwords - Extracts all saved passwords from Chrome, Firefox, and Edge to be saved onto secondary USB for further analysis.
https://github.com/flibustier/jwt-online-cracker - Brute-force HS256, HS384 or HS512 JWT Token from your browser (fully client-side).

Cheat Sheets

http://n0p.net/penguicon/php_app_sec/mirror/xss.html - XSS cheatsheet
https://highon.coffee/blog/lfi-cheat-sheet/ - LFI Cheat Sheet
https://highon.coffee/blog/reverse-shell-cheat-sheet/ - Reverse Shell Cheat Sheet
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/ - SQL Injection Cheat Sheet
https://www.gracefulsecurity.com/path-traversal-cheat-sheet-windows/ - Path Traversal Cheat Sheet: Windows

Docker images for Penetration Testing

docker pull kalilinux/kali-linux-docker official Kali Linux
docker pull blackarchlinux/blackarch official BlackArch Linux
docker pull owasp/zap2docker-stable - official OWASP ZAP
docker pull wpscanteam/wpscan - official WPScan
docker pull metasploitframework/metasploit-framework - docker-metasploit
docker pull citizenstig/dvwa - Damn Vulnerable Web Application (DVWA)
docker pull bkimminich/juice-shop OWASP Juice Shop
docker pull wpscanteam/vulnerablewordpress - Vulnerable WordPress Installation
docker pull hmlio/vaas-cve-2014-6271 - Vulnerability as a service: Shellshock
docker pull hmlio/vaas-cve-2014-0160 - Vulnerability as a service: Heartbleed
docker pull opendns/security-ninjas - Security Ninjas
docker pull noncetonic/archlinux-pentest-lxde:1.0 - Arch Linux Penetration Tester
docker pull diogomonica/docker-bench-security - Docker Bench for Security
docker pull ismisepaul/securityshepherd - OWASP Security Shepherd
docker pull danmx/docker-owasp-webgoat - OWASP WebGoat Project docker image
docker pull docker pull jeroenwillemsen/wrongsecrets - OWASP WrongSecrets Project docker image
docker pull citizenstig/nowasp - OWASP Mutillidae II Web Pen-Test Practice Application
docker pull aaaguirre/pentest - Docker for pentest
docker pull rustscan/rustscan:2.0.0 - The Modern Port Scanner

Vulnerabilities

http://cve.mitre.org/ - Common Vulnerabilities and Exposures. The Standard for Information Security Vulnerability Names
https://www.exploit-db.com/ - The Exploit Database – ultimate archive of Exploits, Shellcode, and Security Papers.
http://0day.today/ - Inj3ct0r is the ultimate database of exploits and vulnerabilities and a great resource for vulnerability researchers and security professionals.
http://www.securityfocus.com/ - Since its inception in 1999, SecurityFocus has been a mainstay in the security community.
http://packetstormsecurity.com/ - Global Security Resource
https://wpvulndb.com/ - WPScan Vulnerability Database
https://snyk.io/vuln/ - Vulnerability DB, Detailed information and remediation guidance for known vulnerabilities.
https://stellastra.com/cipher-suite - Database of hundreds of TLS cipher suites and their security status.
https://vulert.com/vuln-db - Vulert helps developers secure their software by monitoring and alerting them to vulnerabilities in open-source dependencies—without requiring access to their code. It supports dependencies from Js, PHP, Java, Python, and many more.
https://vulncheck.com/xdb/ - An index of exploit proof-of-concept code in Git repositories.

Courses

https://pwn.guide/ - Cybersecurity learning platform, with about 100 tutorials, approximately 25 of them are about web hacking & defending websites.
https://www.offensive-security.com/information-security-training/advanced-web-attack-and-exploitation/ Offensive Security Advanced Web Attacks and Exploitation (live)
https://www.sans.org/course/web-app-penetration-testing-ethical-hacking Sans SEC542: Web App Penetration Testing and Ethical Hacking
https://www.sans.org/course/advanced-web-app-penetration-testing-ethical-hacking Sans SEC642: Advanced Web App Penetration Testing and Ethical Hacking
http://opensecuritytraining.info/ - Open Security Training
http://securitytrainings.net/security-trainings/ - Security Exploded Training
http://www.securitytube.net/ - World’s largest Infosec and Hacking Portal.
https://www.hacker101.com/ - Free class for web security by Hackerone
https://www.darkrelay.com/courses/professional-penetration-tester - Zero-Hero style Pentesting course by DarkRelay Security Labs

Online Hacking Demonstration Sites

http://testasp.vulnweb.com/ - Acunetix ASP test and demonstration site
http://testaspnet.vulnweb.com/ - Acunetix ASP.Net test and demonstration site
http://testphp.vulnweb.com/ - Acunetix PHP test and demonstration site
http://crackme.cenzic.com/kelev/view/home.php - Crack Me Bank
http://zero.webappsecurity.com/ - Zero Bank
http://demo.testfire.net/ - Altoro Mutual
https://public-firing-range.appspot.com/ - Firing Range is a test bed for automated web application security scanners.
https://xss-game.appspot.com/ - XSS challenge
https://google-gruyere.appspot.com/ Google Gruyere, web application exploits and defenses
https://ginandjuice.shop/catalog
https://pentest-ground.com/ Pentest-Ground is a free playground with deliberately vulnerable web applications and network services.
HackSimulator is a GPT created by MarkCyber in which chatGPT 4 acts as a hacking CTF. This GPT will ask for your experience level and what you would like to improve on, before simulating a machine/application for you to hack into, using the chatbox as the place to input terminal commands. Since this is through AI, it changes and adjust based on your experience level and you can ask for help if you are stuck.

Labs

https://portswigger.net/web-security - Web Security Academy: Free Online Training from PortSwigger
http://www.cis.syr.edu/~wedu/seed/all_labs.html - Developing Instructional Laboratories for Computer SEcurity EDucation
https://www.vulnhub.com/ - Virtual Machines for Localhost Penetration Testing.
https://pentesterlab.com/ - PentesterLab is an easy and great way to learn penetration testing.
https://codereviewlab.com/ - Code Review Lab is a hands-on code review training platform.
https://github.com/jerryhoff/WebGoat.NET - This web application is a learning platform about common web security flaws.
http://www.dvwa.co.uk/ - Damn Vulnerable Web Application (DVWA)
http://sourceforge.net/projects/lampsecurity/ - LAMPSecurity Training
https://github.com/Audi-1/sqli-labs - SQLI labs to test error based, Blind boolean based, Time based.
https://github.com/paralax/lfi-labs - small set of PHP scripts to practice exploiting LFI, RFI and CMD injection vulns
https://hack.me/ - Build, host and share vulnerable web apps in a sandboxed environment for free
http://azcwr.org/az-cyber-warfare-ranges - Free live fire Capture the Flag, blue team, red team Cyber Warfare Range for beginners through advanced users. Must use a cell phone to send a text message requesting access to the range.
https://github.com/adamdoupe/WackoPicko - WackoPicko is a vulnerable web application used to test web application vulnerability scanners.
https://github.com/rapid7/hackazon - Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications.
https://github.com/RhinoSecurityLabs/cloudgoat - Rhino Security Labs' "Vulnerable by Design" AWS infrastructure setup tool
https://www.hackthebox.eu/ - Hack The Box is an online platform allowing you to test and advance your skills in cyber security.
https://github.com/tegal1337/0l4bs - 0l4bs is a Cross-site scripting labs for web application security enthusiasts.
https://github.com/oliverwiegers/pentest_lab - Local pentest lab leveraging docker compose.
https://ginandjuice.shop/catalog
https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
https://labex.io/skilltrees/cybersecurity - LabEx is an online platform for enhancing your cyber security skills through hands-on labs.
https://pythoncyber.go.ro - CyberPython helps you to make your own research in order to solve challenges, exploit CVEs and make good scripts.
https://github.com/kOaDT/oss-oopssec-store - OSS – OopsSec Store: An intentionally vulnerable e-commerce application built with Next.js and React for web security training and CTF practice.

SSL

https://www.ssllabs.com/ssltest/index.html - This service performs a deep analysis of the configuration of any SSL web server on the public Internet.
http://certdb.com/ - SSL/TLS data provider service. Collect the data about digital certificates - issuers, organisation, whois, expiration dates, etc... Plus, has handy filters for convenience.
https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - Strong SSL Security on nginx
https://weakdh.org/ - Weak Diffie-Hellman and the Logjam Attack
https://letsencrypt.org/ - Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.
https://filippo.io/Heartbleed/ - A checker (site and tool) for CVE-2014-0160 (Heartbleed).
https://testssl.sh/ - A command line tool which checks a website's TLS/SSL ciphers, protocols and cryptographic flaws.

Security Ruby on Rails

http://brakemanscanner.org/ - A static analysis security vulnerability scanner for Ruby on Rails applications.
https://github.com/rubysec/ruby-advisory-db - A database of vulnerable Ruby Gems
https://github.com/rubysec/bundler-audit - Patch-level verification for Bundler
https://github.com/hakirisec/hakiri_toolbelt - Hakiri Toolbelt is a command line interface for the Hakiri platform.
https://hakiri.io/facets - Scan Gemfile.lock for vulnerabilities.
http://rails-sqli.org/ - This page lists many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not intended to be called with unsafe user input.
https://github.com/0xsauby/yasuo - A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network

infoslack / awesome-web-hacking

AI Architecture Analysis

Embed this Badge

Repository Summary (README)