awesome-web-hacking
github.com/infoslack/awesome-web-hacking ↗A list of web application security
Use this list with your AI agent
Add the Context Awesome MCP server to Claude, Cursor, or any MCP client, then ask:
"Show me documentation resources from awesome-web-hacking"
Installation instructions →What's inside
Documentation
- AppSec Santa
Independent comparison of 129+ web application security tools across SAST, DAST, SCA, and more.
- https://appsecwiki.com/
Application Security Wiki is an initiative to provide all Application security related resources to Security Researchers and developers at one place.
- https://www.owasp.org/
Open Web Application Security Project
- http://www.binary-auditing.com/
Dr. Thorsten Schneider’s Binary Auditing
- http://www.pentest-standard.org/
Penetration Testing Execution Standard
Docker images for Penetration Testing
Tools
- BadUSB Script To Exfiltrate Passwords
Extracts all saved passwords from Chrome, Firefox, and Edge to be saved onto secondary USB for further analysis.
- Cyclops is a novel browser that can detect vulnerability automatically
Cyclops is a web browser with XSS detection feature
- http://samurai.inguardians.com
- https://caido.io/
Web proxy
- https://code.google.com/p/ratproxy/
- https://code.google.com/p/skipfish/
Online Hacking Demonstration Sites
- HackSimulator
- http://crackme.cenzic.com/kelev/view/home.php
Crack Me Bank
- http://demo.testfire.net/
Altoro Mutual
- https://google-gruyere.appspot.com/
- https://pentest-ground.com/
- https://public-firing-range.appspot.com/
Firing Range is a test bed for automated web application security scanners.
Vulnerabilities
- http://0day.today/
Inj3ct0r is the ultimate database of exploits and vulnerabilities and a great resource for vulnerability researchers and security professionals.
- http://cve.mitre.org/
Common Vulnerabilities and Exposures. The Standard for Information Security Vulnerability Names
- http://packetstormsecurity.com/
Global Security Resource
- https://labs.jamessawyer.co.uk/cves/
CVE PoC Search provides CVE-to-GitHub proof-of-concept lookup to quickly pivot from a web vulnerability to public exploit code.
- https://snyk.io/vuln/
Vulnerability DB, Detailed information and remediation guidance for known vulnerabilities.
- https://stellastra.com/cipher-suite
Database of hundreds of TLS cipher suites and their security status.
Labs
- http://azcwr.org/az-cyber-warfare-ranges
Free live fire Capture the Flag, blue team, red team Cyber Warfare Range for beginners through advanced users. Must use a cell phone to send a text message requesting access to the range.
- https://codereviewlab.com/
Code Review Lab is a hands-on code review training platform.
- https://ginandjuice.shop/catalog
- https://github.com/adamdoupe/WackoPicko
WackoPicko is a vulnerable web application used to test web application vulnerability scanners.
- https://github.com/Audi-1/sqli-labs
SQLI labs to test error based, Blind boolean based, Time based.
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
Security Ruby on Rails
- http://brakemanscanner.org/
A static analysis security vulnerability scanner for Ruby on Rails applications.
- http://rails-sqli.org/
This page lists many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not intended to be called with unsafe user input.
- https://github.com/0xsauby/yasuo
A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network
- https://github.com/hakirisec/hakiri_toolbelt
Hakiri Toolbelt is a command line interface for the Hakiri platform.
- https://github.com/rubysec/bundler-audit
Patch-level verification for Bundler
- https://github.com/rubysec/ruby-advisory-db
A database of vulnerable Ruby Gems
SSL
- http://certdb.com/
SSL/TLS data provider service. Collect the data about digital certificates - issuers, organisation, whois, expiration dates, etc... Plus, has handy filters for convenience.
- https://filippo.io/Heartbleed/
A checker (site and tool) for CVE-2014-0160 (Heartbleed).
- https://letsencrypt.org/
Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.
- https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
Strong SSL Security on nginx
- https://testssl.sh/
A command line tool which checks a website's TLS/SSL ciphers, protocols and cryptographic flaws.
- https://weakdh.org/
Weak Diffie-Hellman and the Logjam Attack
Showing a sample of 217 resources. View the full list on GitHub →