Skip to content

An ongoing & curated collection of awesome software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about Web Security in Cybersecurity.

License

Notifications You must be signed in to change notification settings

paulveillard/cybersecurity-web-security

Repository files navigation

Cybersecurity Web Security

An ongoing & curated collection of awesome software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about Web Security in Cybersecurity.

Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources.

Ensuring that your website or open web application is secure is critical. Even simple bugs in your code can result in private information being leaked, and bad people are out there trying to find ways to steal data.

Web Security

What is Web Security?

Web security involves protecting networks and computer systems from damage to or the theft of software, hardware, or data. It also includes protecting computer systems from misdirecting or disrupting the services they are designed to provide.

Web security is important for the following key reasons:

  • Malicious Content Protection:
  • Data Security
  • Regulatory Compliance
  • Improved Network Performance
  • Secure Remote Work

I highly encourage you to read this article "So you want to be a web security researcher?"

Table of Contents

Digests

Forums

Introduction

XSS - Cross-Site Scripting

Prototype Pollution

CSV Injection

SQL Injection

Command Injection

ORM Injection

FTP Injection

XXE - XML eXternal Entity

CSRF - Cross-Site Request Forgery

Clickjacking

SSRF - Server-Side Request Forgery

Web Cache Poisoning

Relative Path Overwrite

Open Redirect

Security Assertion Markup Language (SAML)

Upload

Rails

AngularJS

ReactJS

SSL/TLS

Webmail

NFS

AWS

Azure

Fingerprint

Sub Domain Enumeration

Crypto

Web Shell

OSINT

DNS Rebinding

Deserialization

OAuth

JWT

Evasions

XXE

CSP

WAF

JSMVC

Authentication

Tricks

CSRF

Clickjacking

Remote Code Execution

XSS

SQL Injection

NoSQL Injection

FTP Injection

XXE

SSRF

Web Cache Poisoning

Header Injection

URL

Deserialization

OAuth

Others

Browser Exploitation

Frontend (like SOP bypass, URL spoofing, and something like that)

Backend (core of Browser implementation, and often refers to C or C++ part)

PoCs

Database

Cheetsheets

Tools

Auditing

Command Injection

Reconnaissance

OSINT - Open-Source Intelligence

Sub Domain Enumeration

Code Generating

Fuzzing

  • wfuzz - Web application bruteforcer by @xmendez.
  • charsetinspect - Script that inspects multi-byte character sets looking for characters with specific user-defined properties by @hack-all-the-things.
  • IPObfuscator - Simple tool to convert the IP to a DWORD IP by @OsandaMalith.
  • domato - DOM fuzzer by @google.
  • FuzzDB - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
  • dirhunt - Web crawler optimized for searching and analyzing the directory structure of a site by @nekmo.
  • ssltest - Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by Qualys SSL Labs.
  • fuzz.txt - Potentially dangerous files by @Bo0oM.

Scanning

  • wpscan - WPScan is a black box WordPress vulnerability scanner by @wpscanteam.
  • JoomlaScan - Free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan by @drego85.
  • WAScan - Is an open source web application security scanner that uses "black-box" method, created by @m4ll0k.
  • Nuclei - Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use by @projectdiscovery.

Penetration Testing

Offensive

XSS - Cross-Site Scripting

  • beef - The Browser Exploitation Framework Project by beefproject.
  • JShell - Get a JavaScript shell with XSS by @s0md3v.
  • XSStrike - XSStrike is a program which can fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs by @s0md3v.
  • xssor2 - XSS'OR - Hack with JavaScript by @evilcos.
  • csp evaluator - A tool for evaluating content-security-policies by Csper.

SQL Injection

  • sqlmap - Automatic SQL injection and database takeover tool.

Template Injection

  • tplmap - Code and Server-Side Template Injection Detection and Exploitation Tool by @epinna.

XXE

Cross Site Request Forgery

Server-Side Request Forgery

Leaking

Detecting

Preventing

  • DOMPurify - DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG by Cure53.
  • js-xss - Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by @leizongmin.
  • Acra - Client-side encryption engine for SQL databases, with strong selective encryption, SQL injections prevention and intrusion detection by @cossacklabs.
  • Csper - A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by Csper.

Proxy

  • Charles - HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
  • mitmproxy - Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by @mitmproxy.

Webshell

Disassembler

Decompiler

DNS Rebinding

  • DNS Rebind Toolkit - DNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network (LAN) by @brannondorsey
  • dref - DNS Rebinding Exploitation Framework. Dref does the heavy-lifting for DNS rebinding by @mwrlabs
  • Singularity of Origin - It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine by @nccgroup
  • Whonow DNS Server - A malicious DNS server for executing DNS Rebinding attacks on the fly by @brannondorsey

Others

Social Engineering Database

Blogs

Twitter Users

  • @HackwithGitHub - Initiative to showcase open source hacking tools for hackers and pentesters
  • @filedescriptor - Active penetrator often tweets and writes useful articles
  • @cure53berlin - Cure53 is a German cybersecurity firm.
  • @XssPayloads - The wonderland of JavaScript unexpected usages, and more.
  • @kinugawamasato - Japanese web penetrator.
  • @h3xstream - Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.
  • @garethheyes - English web penetrator.
  • @hasegawayosuke - Japanese javascript security researcher.
  • @shhnjk - Web and Browsers Security Researcher.

Practices

Application

AWS

XSS

ModSecurity / OWASP ModSecurity Core Rule Set

Community

Miscellaneous

Code of Conduct

Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.

License

CC0

To the extent possible under law, Paul Veillard has waived all copyright and related or neighboring rights to this work.

About

An ongoing & curated collection of awesome software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about Web Security in Cybersecurity.

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published