awesome-web-security
github.com/qazbnm456/awesome-web-security βπΆ A curated list of Web Security materials and resources.
Use this list with your AI agent
Add the Context Awesome MCP server to Claude, Cursor, or any MCP client, then ask:
"Show me osint resources from awesome-web-security"
Installation instructions βWhat's inside
Blogs
- 0Day Labs
Awesome bug-bounty and challenges writeups.
- Blog of Osanda
Security Researching and Reverse Engineering.
- BRETT BUERHAUS
Vulnerability disclosures and rambles on application security.
- Broken Browser
Fun with Browser Vulnerabilities.
- James Kettle
Head of Research at
Introduction
- 102 Deep Dive in the Dark Web OSINT Style Kirby PlessasOSINT
Presented by
- A penetration testerβs guide to sub-domain enumerationSub Domain Enumeration
Written by
- Applied Crypto HardeningCrypto
Written by
- Attacking .NET deserializationDeserialization
Written by
- Attacking Private Networks from the Internet with DNS RebindingDNS Rebinding
Written by
- AwesomeXSSXSS - Cross-Site Scripting
Written by
Tricks
- $20000 Facebook DOM XSSXSS
Written by
- $36k Google App Engine RCERemote Code Execution
Written by
- All you need to know about SSRF and how may we write tools to do auto-detectSSRF
Written by
- A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!SSRF
Written by
- Another XSS in Google ColaboratoryXSS
Written by
- ASP.NET resource files (.RESX) and deserialisation issuesDeserialization
Written by
Miscellaneous
- $7.5k Google services mix-up
Written by
- A glimpse into GitHub's Bug Bounty workflow
Written by
- Alexa Top 1 Million Security - Hacking the Big Ones
Written by
- An example why NAT is NOT security
Written by
- awesome-bug-bounty
Comprehensive curated list of available Bug Bounty & Disclosure Programs and write-ups by
- Be careful what you copy: Invisibly inserting usernames into text with Zero-Width Characters
Written by
Tools
- A2SVAuditing
Auto Scanning to SSL Vulnerability by
- AcraPreventing
Client-side encryption engine for SQL databases, with strong selective encryption, SQL injections prevention and intrusion detection by
- AQUATONEReconnaissance
Tool for Domain Flyovers by
- AstraPenetration Testing
Automated Security Testing For REST API's by
- aws_pwnPenetration Testing
A collection of AWS penetration testing junk by
- beefOffensive
The Browser Exploitation Framework Project by
Evasions
- Airbnb β When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight VulnerabilitiesWAF
Written by
- Any protection against dynamic module import?CSP
Written by
- Bypass Fix of OOB XXE Using Different encodingXXE
Written by
- CSP: bypassing form-action with reflected XSSCSP
Written by
- Evading CSP with DOM-based dangling markupCSP
Written by
- GitHub's CSP journeyCSP
Written by
Practices
- alert(1) to winXSS
Series of XSS challenges - Written by
- BadLibraryApplication
Vulnerable web application for training - Written by
- CloudGoatAWS
Rhino Security Labs' "Vulnerable by Design" AWS infrastructure setup tool - Written by
- FLAWSAWS
Amazon AWS CTF challenge - Written by
- HackxorApplication
Realistic web application hacking game - Written by
Browser Exploitation
- A Methodical Approach to Browser ExploitationBackend (core of Browser implementation, and often refers to C or C++ part)
Written by
- Attacking JavaScript Engines - A case study of JavaScriptCore and CVE-2016-4622Backend (core of Browser implementation, and often refers to C or C++ part)
Written by
- Breaking UC BrowserBackend (core of Browser implementation, and often refers to C or C++ part)
Written by
- Bypassing Mobile Browser Security For Fun And ProfitFrontend (like SOP bypass, URL spoofing, and something like that)
Written by
- CLEANLY ESCAPING THE CHROME SANDBOXBackend (core of Browser implementation, and often refers to C or C++ part)
Written by
- CVE-2017-2446 or JSC::JSGlobalObject::isHavingABadTime.Backend (core of Browser implementation, and often refers to C or C++ part)
Written by
Showing a sample of 415 resources. View the full list on GitHub β