Security Resources 📖

Links to online resources & tools we use during our web application / network security courses.

You can create a PR or open an issue if you think we missed a useful resource.

Short URL: https://git.io/secres

Compass Security 🧭

• Compass Security: https://compass-security.com/de/
• Compass Security Blog: https://blog.compass-security.com/
• Hacking Lab 1.0: https://www.hacking-lab.com/
• Hacking Lab 2.0: https://compass.hacking-lab.com/
• Hacking Lab Live CD: https://livecd.hacking-lab.com/

General 🌳

Link Lists

• Awesome Security: https://github.com/sbilly/awesome-security
• InfoSec Reference That Doesn't Suck!(Much): https://rmusser.net/docs/index.html
• Awesome Penetration Testing: https://github.com/enaqx/awesome-pentest
• Security Checklists from pentestlab.blog: https://github.com/netbiosX/Checklists
• Security Tools Collection: https://tools.tldr.run/
• Public Pentest Reports: https://github.com/juliocesarfort/public-pentesting-reports
• Security Zines: https://securityzines.com/

Hacking-Notebooks

• Payload All The Things: https://github.com/swisskyrepo/PayloadsAllTheThings
• HackTricks: https://book.hacktricks.xyz/
• Red Teaming Experiments: https://www.ired.team/
• Pentester's promiscuous Notebook: https://ppn.snovvcrash.rocks/ (by snovvcrash https://snovvcrash.rocks/)

Tutorials

• Various Security Tutorials by Prof. Andreas Steffen, strongSec GmbH: https://github.com/strongX509/cyber/

Online Tools

• CyberChef: https://gchq.github.io/CyberChef/
• Useful Web Tools by @h43z: https://h.43z.one/
• Explain Shell Commands: https://explainshell.com/
• Online Regex Tester & Debugger: https://regex101.com/

Reading

• Phrack: http://phrack.org/
• PoC||GTFO: https://www.alchemistowl.org/pocorgtfo/

Talks & Videos

• media.ccc.de: https://media.ccc.de/
• LiveOverflow: https://www.youtube.com/c/LiveOverflowCTF/
• Stacksmashing: https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw
• IppSec (Hack The Box Walkthroughs): https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
• /dev/null: https://www.youtube.com/channel/UCGISJ8ZHkmIv1CaoHovK-Xw
• DEFCON Switzerland / Area41: https://www.youtube.com/user/defconswitzerland/
• Swiss Cyber Storm: https://www.youtube.com/channel/UCY-Wb3JuBv_xpa8s6ZrpUxg/
• Cooper Recordings: https://administraitor.video/
• DEFCON: https://www.youtube.com/user/DEFCONConference/
• Black Hat: https://www.youtube.com/user/BlackHatOfficialYT

Web Application Security 🐝

References

• HTML Standard: https://html.spec.whatwg.org/
• W3Schools: https://www.w3schools.com/
• Mozilla Developer Network (MDN): https://developer.mozilla.org/

General

• Compass Demo: https://www.compass-demo.com/
• PortSwigger Online Seminar: https://portswigger.net/web-security
• OWASP: https://owasp.org/
  • OWASP Top 10
    • Project Page: https://owasp.org/www-project-top-ten/
    • New Project Page: https://www.owasptopten.org/
    • GitHub: https://github.com/OWASP/Top10
  • OWASP Application Security Verification Standard (ASVS)
    • Project Page: https://owasp.org/www-project-application-security-verification-standard/
    • GitHub: https://github.com/OWASP/ASVS
  • API Security: https://www2.owasp.org/www-project-api-security/
  • Cheat Sheet Series: https://cheatsheetseries.owasp.org/
  • Juice Shop
    • Project Page: https://owasp-juice.shop/, https://owasp.org/www-project-juice-shop/
    • GitHub: https://github.com/bkimminich/juice-shop
    • Companion Guide: https://pwning.owasp-juice.shop/
    • Demo: https://juice-shop.herokuapp.com/
  • OWASP Switzerland
    • Chapter Page: https://owasp.org/www-chapter-switzerland/
    • Mailing List: https://groups.google.com/a/owasp.org/forum/#!forum/switzerland-chapter
    • Twitter: https://twitter.com/owasp_ch
    • YouTube: https://www.youtube.com/channel/UCut4rjo2pUSdtnX3hUbi9_Q
    • Presentation Slides Repo:https://github.com/OWASP/www-chapter-switzerland/tree/master/assets/slides
• Stanford Web Security Class: https://web.stanford.edu/class/cs253/

HTTP & Web Basics

• HTTP Status Codes: https://httpstatuses.com/
• Can I Use (Browser Support Matrix): https://caniuse.com/
• Mozilla Developer Network: https://developer.mozilla.org/

Web Standards

• W3C Overview: https://www.w3.org/TR/
• CORS: https://www.w3.org/TR/2020/SPSD-cors-20200602/
• HTTP/2 Explained: https://http2-explained.haxx.se/
• HTTP/3 Explained: https://http3-explained.haxx.se/
• HTTP/2 Speed Demo: https://http2.akamai.com/demo

Reverse Proxies

• Weird Proxies: https://github.com/GrrrDog/weird_proxies

Authentication & Login

• Have I Been Pwned (Password Leaks): https://haveibeenpwned.com/
• Pwned Passwords: https://haveibeenpwned.com/Passwords
• Dehashed Leaked Passwords Database: https://www.dehashed.com/
• Hashes.org (Password Hash Database): https://hashes.org/

OAuth 2.0 / OpenID Connect (OIDC)

• OAuth.net: https://oauth.net/2/
• OAuth 2.0 Simplified: https://www.oauth.com/
• The OAuth 2.0 Authorization Framework, RFC 6749: https://tools.ietf.org/html/rfc6749
• OAuth 2.0 Security Best Current Practice: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16
• OpenID Connect & OAuth 2.0 - Security Best Practices, Dominick Baier, 2020: https://www.youtube.com/watch?v=AUgZffkurK0
• OAuth 2.0 for Browser-Based Apps: https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07
• OIDC Discovery: https://auth0.com/docs/protocols/configure-applications-with-oidc-discovery)
• Real-life OIDC Security: https://security.lauritz-holtmann.de/post/sso-security-overview/

Cross-Site Scripting (XSS)

• PortSwigger XSS Cheat Sheet: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
• XSS Payloads: https://html5sec.org/
• XSS Hunter: https://xsshunter.com/
• XSS Polyglot: https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
• Script Gadgets: https://github.com/google/security-research-pocs (bypass overview: https://github.com/google/security-research-pocs/blob/master/script-gadgets/bypasses.md)
• Browser Exploitation Framework (BeEF): https://beefproject.com/
• Attack Examples
  • XSS in Electron App leads to RCE: https://blog.doyensec.com/2017/08/03/electron-framework-security.html
  • XSS in Google Search Field: https://www.youtube.com/watch?v=lG7U3fuNw3A
  • XSS in Tweetdeck Twitter Client: https://twitter.com/dergeruhn/status/476764918763749376?lang=en

Cross-Site Request Forgery (CSRF)

• Same-Site Cookie Flag: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-06
• Public Suffix List (https://publicsuffix.org): https://publicsuffix.org/list/public_suffix_list.dat

Security Headers

• Security Headers: https://securityheaders.com/
• Content Security Policy (CSP) Evaluator: https://csp-evaluator.withgoogle.com/ (Code: https://github.com/google/csp-evaluator)
• HSTS Preloading: https://hstspreload.org

JSON Web Tokens (JWT)

• JWT Decoder/Encoder: https://jwt.io/
• PentesterLab JWT Cheat Sheet: https://assets.pentesterlab.com/jwt_security_cheatsheet/jwt_security_cheatsheet.pdf
• JWT Tool for testing: https://github.com/ticarpi/jwt_tool
• Convert JWK to PEM:
  • Crypto Playground: https://8gwifi.org/jwkconvertfunctions.jsp
  • Keytool: https://keytool.online/
• Attack Examples
  • Algorithm Confusion
    • Auth0 Info: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
    • pyjwt CVE-2017-11424: https://www.cvedetails.com/cve/CVE-2017-11424/
    • pyjwt fix: https://github.com/jpadilla/pyjwt/commit/88a9fc56bdc6c870aa6af93bda401414a217db2a, https://github.com/jpadilla/pyjwt/commit/37926ea0dd207db070b45473438853447e4c1392

SQL Injection (SQLi)

• PortSwigger SQL Injection Cheat Sheet: https://portswigger.net/web-security/sql-injection/cheat-sheet

XML External Entities (XXE)

• Attack Examples
  • Sending mails via SMTP using XXE: https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/

Tools

• Burp Suite: https://portswigger.net/burp/communitydownload
• SQLMap: https://sqlmap.org/
  • SQLMap cheat sheet: https://www.comparitech.com/net-admin/sqlmap-cheat-sheet/
• Burp Suite Extensions
  • Burp Suite Extensions Overview: https://apps.burpsuite.guide/
  • SAML Raider: https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e, https://github.com/CompassSecurity/SAMLRaider
  • JSON Web Tokens: https://portswigger.net/bappstore/f923cbf91698420890354c1d8958fee6, https://github.com/portswigger/json-web-tokens
• Talk "Automated security testing for Software Developers who dont know security!" (shows how to use OWASP ZAP in a CI/CD pipeline): https://media.ccc.de/v/Camp2019-10181-automated_security_testing_for_software_developers_who_dont_know_security

Hacking Environments

• OWASP Web Goat: https://owasp.org/www-project-webgoat/
• Damn Vulnerable Web Application: https://www.dvwa.co.uk/
• OWASP JuiceShop: https://owasp.org/www-project-juice-shop/

Transport Layer Security (TLS) 🔐

TLS Information

• SSL/TLS and PKI History: https://www.feistyduck.com/ssl-tls-and-pki-history/
• Every Byte of a TLS Connection: https://tls12.xargs.org/
• Every Byte of a TLS Connection for TLS 1.3: https://tls13.xargs.org/
• Cipher Suite Ratings: https://ciphersuite.info/

Online Services

• SSL Labs (TLS Server Test): https://ssllabs.com
• Hardenize: https://hardenize.com/
• BadSSL: Weak TLS Configuration Test Page: https://badssl.com
• Certificate Transparency Search: https://crt.sh/

Tools

• SSLyze TLS Server Test Tool: https://github.com/nabla-c0d3/sslyze

Cryptography 🔏

• Key Lengths: https://keylength.com
• Cryptopals Crypto Challenges: https://cryptopals.com/
• CryptoHack: https://cryptohack.org/
• Key generation / conversion: https://keytool.online/

Container Security 🐳

• contained.af (separation examples): https://contained.af/

Network Pentesting 💻

General

• Hacking Tools Cheat Sheet: https://github.com/CompassSecurity/Hacking_Tools_Cheat_Sheet
• Porchetta Industries OpenSource Tools Support: https://porchetta.industries/
• Security Best Practices for On-Premise Environments: https://github.com/CompassSecurity/OnPremSecurityBestPractices

Information Gathering & Wordlists

• Amass: https://github.com/OWASP/Amass
• Sublist3r: https://github.com/aboul3la/Sublist3r
• Shodan: https://www.shodan.io/
• Censys: https://censys.io/
• Payload All The Things: https://github.com/swisskyrepo/PayloadsAllTheThings
• VirusTotal: https://www.virustotal.com/
• FuzzDB: https://github.com/fuzzdb-project/fuzzdb
• SecLists: https://github.com/danielmiessler/SecLists
• Rapid7 Open Data: https://opendata.rapid7.com/
• CeWL: https://github.com/digininja/CeWL

Online Services

• PortQuiz: http://portquiz.net/
• nip.io (wildcard DNS): https://nip.io/
• RequestBin.NET: https://requestbin.net/
• ngrok: https://ngrok.com/
• Various useful tools: https://h.43z.one/
  • Request Logger: https://log.43z.one/
  • IP Address Convertor (useful for SSRF): https://h.43z.one/ipconverter/

Scanning

• Nmap: https://nmap.org/
• Nmap-parse-output: https://github.com/ernw/nmap-parse-output
• Aquatone: https://github.com/michenriksen/aquatone
• SMBMap: https://github.com/ShawnDEvans/smbmap
• Snaffler: https://github.com/SnaffCon/Snaffler
• Subjack: https://github.com/haccer/subjack

Sniffing

• Sniffing Tools
  • tcpdump: https://www.tcpdump.org/
  • Wireshark / Tshark: https://www.wireshark.org/
• PCAP Collection
  • Wireshark Samle Captures: https://wiki.wireshark.org/SampleCaptures
• Sniffing Analysis
  • PacketTotal: https://packettotal.com/
  • A-Packets: https://apackets.com/
• Extract credentials from network interfaces / PCAP files
  • net-creds: https://github.com/DanMcInerney/net-creds
  • PCredz: https://github.com/lgandx/PCredz

Protocol Hacking

• Network Programming in Python: https://0xbharath.github.io/python-network-programming/
• Python Foundations: https://0xbharath.github.io/python-foundations/
• Scapy: https://scapy.net/
• Workshop: The Art of Packet Crafting with Scapy by @0xbharath
  • GitHub: https://github.com/0xbharath/art-of-packet-crafting-with-scapy
  • Online Notes: https://scapy.disruptivelabs.in/

Protocols

• DNS
  • DNSViz (show DNSSEC chain): https://dnsviz.net/
  • Public .ch DNS Zone: https://www.switch.ch/open-data/#tab-c5442a19-67cf-11e8-9cf6-5254009dc73c-3
    • Search Tool: https://search-ch-domains.idocker.hacking-lab.com/
• Mailing
  • Email Infrastructure: https://www.hardenize.com/labs/policy?s=09
  • Email Spoofing Mitigations
    • Google: Help prevent spoofing and spam with DMARC: https://support.google.com/a/answer/2466580
    • Actually, DMARC works fine with mailing lists: https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html
    • Learn and Test DMARC: https://www.learndmarc.com/

Exploiting

• Vulnerability Database: https://cvedetails.com/
• Exploit Database: https://www.exploit-db.com/
• Metasploit: https://www.metasploit.com/
• Reverse Shell Generator: https://www.revshells.com/
• Hak5 Gadget Shop: https://shop.hak5.org/
• Covenant: https://github.com/cobbr/Covenant

Cracking

• General Information
  • Talk "G1234! - Password Cracking 201: Beyond the Basics - Royce Williams": https://www.youtube.com/watch?v=cSOjQI0qbuU
• Online Brute Force Tools
  • Ncrack: https://nmap.org/ncrack/
  • Hydra: https://github.com/vanhauser-thc/thc-hydra
• Offline Brute Force Tools
  • Name-That-Hash: https://github.com/HashPals/Name-That-Hash
  • Hashcat: https://hashcat.net/hashcat/
  • John The Ripper: https://www.openwall.com/john/
• Offline Burte Force Services
  • CrackStation: https://crackstation.net/
  • Crack.sh (DES Cracker): https://crack.sh/
• Wordlists
  • Password Lists from SecLists: https://github.com/danielmiessler/SecLists/tree/master/Passwords
  • CrackStation Dictionary: https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
  • PWDB - New generation of Password Mass-Analysis: https://github.com/ignis-sec/Pwdb-Public
• Rules
  • NSA Rules: https://github.com/NSAKEY/nsa-rules
  • Hob0Rules: https://github.com/praetorian-inc/Hob0Rules
  • Corporate Rule: https://github.com/sparcflow/StratJumbo/blob/master/chap3/corporate.rule
  • OneRuleToRuleThemAll: https://github.com/NotSoSecure/password_cracking_rules
  • Hashcat Rules: https://github.com/hashcat/hashcat/tree/master/rules (e.g. best64 rule)

Linux Privilege Escalation

• Enumeration
  • LinEnum: https://github.com/rebootuser/LinEnum
  • linPEAS: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
  • pspy (unprivileged Linux process snooping): https://github.com/DominicBreuker/pspy
  • Glyptodon (search for suspicious files): https://blog.sevagas.com/?-Glyptodon
  • Lynis: https://cisofy.com/lynis/
• Privilege Escalation Methods
  • Sudo privesc on Compass Blog: https://blog.compass-security.com/tag/sudo/
  • HackTricks Linux Privilege Escalation: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist and https://book.hacktricks.xyz/linux-unix/privilege-escalation
  • PayloadsAllTheThings Linux Privilege Escalation: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
  • Back To The Future: Unix Wildcards Gone Wild (Wildcard Injection): https://www.exploit-db.com/papers/33930
• Exploitation Tools
  • LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester
  • GTFOBins: https://gtfobins.github.io/
  • GTFOBLookup: https://github.com/nccgroup/GTFOBLookup
• Hardening
  • Distribution Independent Linux CIS Benchmark: https://www.cisecurity.org/benchmark/distribution_independent_linux/

Windows & Active Directory (AD)

• Attacks / Methodologies
  • Active Directory Security: https://adsecurity.org/
  • AD Exploitation Cheat Sheet: https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
  • Orange Cyberdefense Active Directory Pentest Mindmap: https://orange-cyberdefense.github.io/ocd-mindmaps/
  • The Dog Whisperer's Handbook: https://www.ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf
  • Not A Security Boundary: Breaking Forest Trusts: https://posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d
  • Attacking Active Directory: 0 to 0.9: https://zer1t0.gitlab.io/posts/attacking_ad/?s=09
  • Windows & Active Directory Exploitation Cheat Sheet and Command Reference: https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/
• Kerberos
  • Introduction Videos by ATTL4S (https://twitter.com/DaniLJ94)
    • You Do (Not) Understand Kerberos: Introduction: https://www.youtube.com/watch?v=4LDpb1R3Ghg
    • You Do (Not) Understand Kerberos Delegation - Introduction: https://www.youtube.com/watch?v=p9QFdITuvgU
    • You Do (Not) Understand Kerberos Delegation - Unconstrained Delegation: https://www.youtube.com/watch?v=xDFRUYv1-eU&t=580s
    • You Do (Not) Understand Kerberos Delegation - Constrained Delegation: https://www.youtube.com/watch?v=gzqq2r6cZjc&t=2288s
    • You Do (Not) Understand Kerberos Delegation - RBCD: https://www.youtube.com/watch?v=vlKwCTvp5_w&t=1185s
  • CVE-2020-17049: Kerberos Bronze Bit Attack Theory: https://www.netspi.com/blog/technical/network-penetration-testing/cve-2020-17049-kerberos-bronze-bit-theory/
  • Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
  • Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain): https://adsecurity.org/?p=1667
  • Kerberos Attack Cheat Sheet: https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
• Active Directory Certificate Services
  • Abusing Active Directory Certificate Services Whitepaper: https://specterops.io/assets/resources/Certified_Pre-Owned.pdf
  • Abusing Active Directory Certificate Services Blogpost: https://posts.specterops.io/certified-pre-owned-d95910965cd2
• Best Practices
  • Domain-Join Computers the Proper Way: https://blog.compass-security.com/2020/03/domain-join-computers-the-proper-way/
  • Administrative Tier Model (Archived Article): https://web.archive.org/web/20201210154206/https://docs.microsoft.com/en-us/windows-[…]ivileged-access/securing-privileged-access-reference-material
• Tools
  • Sysinternals: https://docs.microsoft.com/en-us/sysinternals/#sysinternals-live
  • Sysinternals Direct Download: https://live.sysinternals.com/
  • PowerSploit: https://github.com/PowerShellMafia/PowerSploit
  • PowerUpSQL: https://github.com/NetSPI/PowerUpSQL
  • Mimikatz: https://github.com/gentilkiwi/mimikatz
  • Impacket: https://github.com/SecureAuthCorp/impacket
  • Responder: https://github.com/lgandx/Responder
  • CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec
  • CredNinja: https://github.com/Raikia/CredNinja
  • BloodHound
    • Project Page: https://github.com/BloodHoundAD/BloodHound
    • Compass Custom BloodHound Queries: https://github.com/CompassSecurity/BloodHoundQueries
  • PingCastle
    • Project Page: https://www.pingcastle.com/
    • Healthcheck Rules: https://www.pingcastle.com/PingCastleFiles/ad_hc_rules_list.html
  • Kerbrute: https://github.com/ropnop/kerbrute

Cloud

• A Cloud Guru Online Trainings: https://acloudguru.com/

Container

• Docker Security
  • How Containers Work!, Julia Evans, https://jvns.ca/blog/2020/04/27/new-zine-how-containers-work/
  • Practical Docker Security: https://docs.google.com/presentation/d/1jZkq-osQYOCcpR6gU2V1M7JvM4MsazcgVpvGqOUIh-s/edit#slide=id.g4405d38279_0_218
  • Docker.com: Docker Security Concepts: https://docs.docker.com/engine/security/security/
  • Docker Security Blogpost: https://blog.sqreen.com/docker-security/
  • 7 Docker Security Vulnerabilities: https://sysdig.com/blog/7-docker-security-vulnerabilities/
  • Docker.com: Docker Breakout in 2014: https://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/
  • Understanding Docker Container Escapes: https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
  • Docker & Capabilities by RedHat: https://www.redhat.com/en/blog/secure-your-containers-one-weird-trick
  • Docker.com: Seccomp: https://docs.docker.com/engine/security/seccomp/
  • Docker Capabilities and no-new-privileges: https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/
  • Dockerfile Best Practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
  • Dockerfile Security Best Practices: https://cloudberry.engineering/article/dockerfile-security-best-practices/
  • Docker Images 10 Tips: https://snyk.io/blog/10-docker-image-security-best-practices/
  • How to Keep Docker Secrets Secure: Complete Guide: https://spacelift.io/blog/docker-secrets
• Kubernetes
  • Bad Pods: Kubernetes Pod Privilege Escalation: https://labs.bishopfox.com/tech-blog/bad-pods-kubernetes-pod-privilege-escalation#pod8
  • Talk "Kubernetes from an Attacker's Perspective" by Abhisek Datta: https://www.youtube.com/watch?v=aloi74MH4zk
  • Talk "Advanced Persistence Threats: The Future of Kubernetes Attacks" by Ian Coldwater and Ian Coldwater: https://www.youtube.com/watch?v=CH7S5rE3j8w
  • Kubernetes Security Jupyter Notebooks: https://github.com/thomasfricke/training-kubernetes-security

Hacking Environments

• Hack the Box: https://www.hackthebox.eu/
• Hack the Box Academy: https://academy.hackthebox.eu/
• PentesterLab: https://pentesterlab.com/
• Metasploitable: https://sourceforge.net/projects/metasploitable/
• Root Me: https://www.root-me.org
• VulnHub: https://www.vulnhub.com/

Social Engineering 🎅

• Homograph Attacks: https://dev.to/logan/homographs-attack--5a1p
  • Tool: https://github.com/evilsocket/ditto
  • Example: https://раураӏ.com/

Mobile Application Security 📱

General

• Frida Hooking Framework: https://frida.re/
• Frida Hooks Collection: https://codeshare.frida.re/
• objection - Runtime Mobile Exploration: https://github.com/sensepost/objection

Android

• Frida
  • Frida Hook Examples: https://github.com/antojoseph/frida-android-hooks
  • Frida Code Share: https://codeshare.frida.re/browse
  • Frida Code Snippets for Android: https://erev0s.com/blog/frida-code-snippets-for-android/
• F-Secure Android Keystore Audit
  • Blogpost: https://labs.f-secure.com/blog/how-secure-is-your-android-keystore-authentication/
  • GitHub Project: https://github.com/FSecureLABS/android-keystore-audit

Security for Small and medium-sized enterprises (SMEs) 🖖

• Merkblatt Informationssicherheit für KMUs vom Nationales Zentrum für Cybersicherheit NCSC: https://www.ncsc.admin.ch/dam/ncsc/de/dokumente/infos-unternehmen/ncsc-merkblatt-kmu-sicherheit.pdf.download.pdf/ncsc-merkblatt-kmu-sicherheit_de.pdf
• Generelle Informationen zu Cyber Security für Unternehmen: https://www.ibarry.ch/de/
• Resourcen von der Polizei Bern: https://www.cyber.police.be.ch/de/start/informationen-fuer-kmu.html insbesondere interessant für euch:
  • Cyberdelikte verhindern - Wegleitung für KMU: https://www.cyber.police.be.ch/content/dam/police/dokumente/cyber/d/broschuere-cyberdelikte-verhindern-de.pdf
  • Zehn Tipps, um Cyberangriffe zu verhindern: https://www.cyber.police.be.ch/content/dam/police/dokumente/cyber/d/cybercrime-zehn-tipps-de.pdf
  • Selbstassessment für die Unternehmensleitung: https://www.cyber.police.be.ch/content/dam/police/dokumente/cyber/d/selbstassessment-de.pdf
  • Cyberattacke - wie sich schützen. Checkliste für Unternehmensleitung: https://www.cyber.police.be.ch/content/dam/police/dokumente/cyber/d/checkliste-cyberattacke-unternehmensleitung-de.pdf
• Cyber Security für Kleine und Mittlere Unternehmen: https://www.enisa.europa.eu/publications/enisa-report-cybersecurity-for-smes/@@download/fullReport