🔓 unclaimed — this page was auto-generated from GitHub. Are you the creator?
Claim this page →
awesome-web-security
🐶 A curated list of Web Security materials and resources.
git clone https://github.com/qazbnm456/awesome-web-security
Awesome Web Security
🐶 Curated list of Web Security materials and resources.
Needless to say, most websites suffer from various types of bugs which may eventually lead to vulnerabilities. Why would this happen so often? There can be many factors involved including misconfiguration, shortage of engineers' security skills, etc. To combat this, here is a curated list of Web Security materials and resources for learning cutting edge penetration techniques, and I highly encourage you to read this article "So you want to be a web security researcher?" first.
Please read the contribution guidelines before contributing.
🌈 Want to strengthen your penetration skills?
I would recommend playing some awesome-ctfs.
If you enjoy this awesome list and would like to support it, check out my Patreon page :)
Also, don't forget to check out my repos 🐾 or say hi on X (formerly Twitter)!
🤖 Using an AI assistant?
This list also ships as a Claude Code Skill so AI agents can query it at runtime — no stale snapshot, always reads the latest data/index.json from master.
Install (one-liner, recommended):
npx skills add qazbnm456/awesome-web-security -a claude-code -g -y
Or inside Claude Code, use the plugin marketplace:
/plugin marketplace add qazbnm456/awesome-web-security
/plugin install awesome-web-security
For Codex, swap -a claude-code → -a codex.
Then ask any web-security question and the skill activates on topics like XSS, SQLi, SSRF, JWT, OAuth, recon, WAF evasion, deserialization, SAML, CTF write-ups, and more. See skills/awesome-web-security/SKILL.md for the full trigger list.
Contents
- Digests
- Forums
- Introduction
- XSS
- Prototype Pollution
- CSV Injection
- SQL Injection
- Command Injection
- ORM Injection
- FTP Injection
- XXE
- CSRF
- Clickjacking
- SSRF
- Web Cache Poisoning
- Relative Path Overwrite
- Open Redirect
- SAML
- Upload
- Rails
- AngularJS
- ReactJS
- SSL/TLS
- Webmail
- NFS
- AWS
- Azure
- Fingerprint
- Sub Domain Enumeration
- Crypto
- Web Shell
- OSINT
- DNS Rebinding
- Deserialization
- OAuth
- JWT
- Evasions
- Tricks
- Browser Exploitation
- PoCs
- Cheetsheets
- Tools
- Social Engineering Database
- Blogs
- Twitter Users
- Practices
- Community
- Miscellaneous
Digests
- CTF Field Guide - Written by Trail of Bits.
- Hacker101 - Written by hackerone.
- Infosec Newbie - Written by Mark Robinson.
- PayloadsAllTheThings - Written by @swisskyrepo.
- The Daily Swig - Web security digest - Written by PortSwigger.
- The Magic of Learning - Written by @bitvijays.
- Web Application Security Zone by Netsparker - Written by Netsparker.
- tl;dr sec - Weekly summary of top security tools, blog posts, and security research.
Forums
- Dark Reading - Connecting The Information Security Community.
- HackDig - Dig high-quality web security articles for hacker.
- Phrack Magazine - Ezine written by and for hackers.
- Security Weekly - The security podcast network.
- The Hacker News - Security in a serious way.
- The Register - Biting the hand that feeds IT.
Introduction
XSS - Cross-Site Scripting
- C.XSS Guide - Written by @JakobKallin and Irene Lobo Valbuena.
- Cross-Site Scripting – Application Security – Google - Written by Google.
- H5SC - Written by @cure53.
- THE BIG BAD WOLF - XSS AND MAINTAINING ACCESS - Written by Paulos Yibelo.
- AwesomeXSS - Written by @s0md3v.
- XSS.png - Written by @jackmasa.
- PayloadsAllTheThings - XSS Injection - Written by @swisskyrepo.
- payloadbox/xss-payload-list - Written by @payloadbox.
- Laravel Content Security Policy: Complete Implementation Guide - Hands-on guide to implementing Content Security Policy in Laravel — nonce lifecycle, Vite and Livewire integration, violation reporting, and a pre-enforcement checklist, by @itxshakil.
Prototype Pollution
- Prototype pollution attack in NodeJS application - Written by @HoLyVieR.
- Real-world JS - 1 - Written by @po6ix.
- Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) - Written by @securitymb.
CSV Injection
- CSV Injection -> Meterpreter on Pornhub - Written by Andy.
- The Absurdly Underestimated Dangers of CSV Injection - Written by George Mauer.
- PayloadsAllTheThings - CSV Injection - Written by @swisskyrepo.
SQL Injection
- SQL Injection Cheat Sheet - Written by @netsparker.
- SQL Injection Pocket Reference - Written by @LightOS.
- SQL Injection Wiki - Written by NETSPI.
- PayloadsAllTheThings - SQL Injection - Written by @swisskyrepo.
- payloadbox/sql-injection-payload-list - Written by @payloadbox.
Command Injection
- Potential command injection in resolv.rb - Written by @drigg3r.
- PayloadsAllTheThings - Command Injection - Written by @swisskyrepo.
- payloadbox/command-injection-payload-list - Written by @payloadbox.
ORM Injection
- HQL : Hyperinsane Query Language (or how to access the whole SQL API within a HQL injection ?) - Written by @_m0bius.
- HQL for pentesters - Written by @h3xstream.
- ORM Injection - Written by Simone Onofri.
- ORM2Pwn: Exploiting injections in Hibernate ORM - Written by Mikhail Egorov.
FTP Injection
- Advisory: Java/Python FTP Injections Allow for Firewall Bypass - Written by Timothy Morgan.
- SMTP over XXE − how to send emails using Java's XML parser - Written by Alexander Klink.
XXE - XML eXternal Entity
- XXE - Written by @phonexicum.
- PayloadsAllTheThings - XXE Injection - Written by various contributors.
- XML external entity (XXE) injection - Written by portswigger.
- XML Schema, DTD, and Entity Attacks - Written by Timothy D. Morgan and Omar Al Ibrahim.
- payloadbox/xxe-injection-payload-list - Written by @payloadbox.
CSRF - Cross-Site Request Forgery
- Wiping Out CSRF - Written by @jrozner.
- PayloadsAllTheThings - CSRF Injection - Written by @swisskyrepo.
Clickjacking
- Clickjacking - Written by Imperva.
- X-Frame-Options: All about Clickjacking? - Written by Mario Heiderich.
SSRF - Server-Side Request Forgery
- SSRF bible. Cheatsheet - Written by Wallarm.
- PayloadsAllTheThings - Server-Side Request Forgery - Written by @swisskyrepo.
Web Cache Poisoning
- Practical Web Cache Poisoning - Written by @albinowax.
- PayloadsAllTheThings - Web Cache Deception - Written by @swisskyrepo.
Relative Path Overwrite
- Large-scale analysis of style injection by relative path overwrite - Written by The Morning Paper.
- MBSD Technical Whitepaper - A few RPO exploitation techniques - Written by Mitsui Bussan Secure Directions, Inc..
Open Redirect
- Open Redirect Vulnerability - Written by s0cket7.
- PayloadsAllTheThings - Open Redirect - Written by @swisskyrepo.
- payloadbox/open-redirect-payload-list - Written by @payloadbox.
Security Assertion Markup Language (SAML)
- How to Hunt Bugs in SAML; a Methodology - Part I - Written by epi.
- How to Hunt Bugs in SAML; a Methodology - Part II - Written by epi.
- How to Hunt Bugs in SAML; a Methodology - Part III - Written by epi.
- PayloadsAllTheThings - SAML Injection - Written by @swisskyrepo.
Upload
- File Upload Restrictions Bypass - Written by Haboob Team.
- PayloadsAllTheThings - Upload Insecure Files - Written by @swisskyrepo.
Rails
- Rails Security - First part - Written by @qazbnm456.
- Official Rails Security Guide - Written by Rails team.
- Rails SQL Injection - Written by @presidentbeef.
- Zen Rails Security Checklist - Written by @brunofacca.
AngularJS
- DOM based Angular sandbox escapes - Written by @garethheyes.
- XSS without HTML: Client-Side Template Injection with AngularJS - Written by Gareth Heyes.
ReactJS
- XSS via a spoofed React element - Written by Daniel LeCheminant.
SSL/TLS
- SSL & TLS Penetration Testing - Written by APTIVE.
- Practical introduction to SSL/TLS - Written by @Hakky54.
Webmail
- Why mail() is dangerous in PHP - Written by Robin Peraglie.
NFS
- NFS | PENETRATION TESTING ACADEMY - Written by PENETRATION ACADEMY.
AWS
- PENETRATION TESTING AWS STORAGE: KICKING THE S3 BUCKET - Written by Dwight Hohnstein from Rhino Security Labs.
- AWS PENETRATION TESTING PART 1. S3 BUCKETS - Written by VirtueSecurity.
- AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - Written by VirtueSecurity.
- Misadventures in AWS - Written by Christian Demko.
Azure
- Cloud Security Risks (Part 1): Azure CSV Injection Vulnerability - Written by @spengietz.
- Common Azure Security Vulnerabilities and Misconfigurations - Written by @rhinobenjamin.
Fingerprint
Sub Domain Enumeration
- A penetration tester’s guide to sub-domain enumeration - Written by Bharath.
- The Art of Subdomain Enumeration - Written by Patrik Hudak.
Crypto
- Applied Crypto Hardening - Written by The bettercrypto.org Team.
- What is a Side-Channel Attack ? - Written by J.M Porup.
Web Shell
- Hacking with JSP Shells - Written by @_nullbind.
- Hunting for Web Shells - Written by Jacob Baines.
OSINT
- Hacking Cryptocurrency Miners with OSINT Techniques - Written by @s3yfullah.
- OSINT x UCCU Workshop on Open Source Intelligence - Written by Philippe Lin.
- 102 Deep Dive in the Dark Web OSINT Style Kirby Plessas - Presented by @kirbstr.
- The most complete guide to finding anyone’s email - Written by Timur Daudpota.
DNS Rebinding
- Attacking Private Networks from the Internet with DNS Rebinding - Written by @brannondorsey.
- Hacking home routers from the Internet - Written by @radekk.
Deserialization
- What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. - Written by @breenmachine.
- .NET Roulette: Exploiting Insecure Deserialization in Telerik UI - Written by @noperator.
- Attacking .NET deserialization - Written by @pwntester.
- How to exploit the DotNetNuke Cookie Deserialization - Written by CRISTIAN CORNEA.
- HOW TO EXPLOIT LIFERAY CVE-2020-7961 : QUICK JOURNEY TO POC - Written by @synacktiv.
OAuth
- What is going on with OAuth 2.0? And why you should not use it for authentication. - Written by @damianrusinek.
- Introduction to OAuth 2.0 and OpenID Connect - Written by @PhilippeDeRyck.
JWT
Evasions
XXE
- Bypass Fix of OOB XXE Using Different encoding - Written by @SpiderSec.
CSP
- CSP: bypassing form-action with reflected XSS - Written by Detectify Labs.
- TWITTER XSS + CSP BYPASS - Written by Paulos Yibelo.
- Neatly bypassing CSP - Written by Wallarm.
- Evading CSP with DOM-based dangling markup - Written by portswigger.
- GitHub's CSP journey - Written by @ptoomey3.
- GitHub's post-CSP journey - Written by @ptoomey3.
- Any protection against dynamic module import? - Written by @shhnjk.
WAF
- Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Written by @Brett Buerhaus.
- How to bypass libinjection in many WAF/NGWAF - Written by @d0znpp.
- Web Application Firewall (WAF) Evasion Techniques - Written by @secjuice.
- Web Application Firewall (WAF) Evasion Techniques #2 - Written by @secjuice.
JSMVC
- JavaScript MVC and Templating Frameworks - Written by Mario Heiderich.
Authentication
- Trend Micro Threat Discovery Appliance - Session Generation Authentication Bypass (CVE-2016-8584) - Written by @malerisch and @steventseeley.
Tricks
CSRF
- Exploiting CSRF on JSON endpoints with Flash and redirects - Written by @riyazwalikar.
- Neat tricks to bypass CSRF-protection - Written by Twosecurity.
- Stealing CSRF tokens with CSS injection (without iFrames) - Written by @dxa4481.
- Cracking Java’s RNG for CSRF - Javax Faces and Why CSRF Token Randomness Matters - Written by @rramgattie.
- If HttpOnly You Could Still CSRF… Of CORS you can! - Written by @GraphX.
Clickjacking
- Clickjackings in Google worth 14981.7$ - Written by @raushanraj_65039.
Remote Code Execution
- DRUPAL 7.X SERVICES MODULE UNSERIALIZE() TO RCE - Written by Ambionics Security.
- Exploiting Node.js deserialization bug for Remote Code Execution - Written by OpSecX.
- GitHub Enterprise Remote Code Execution - Written by @iblue.
- How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! - Written by Orange.
- How we exploited a remote code execution vulnerability in math.js - Written by @capacitorset.
- $36k Google App Engine RCE - Written by Ezequiel Pereira.
- Poor RichFaces - Written by CODE WHITE.
- Remote Code Execution on a Facebook server - Written by @blaklis_.
- Evil Teacher: Code Injection in Moodle - Written by RIPS Technologies.
- WebLogic RCE (CVE-2019-2725) Debug Diary - Written by Badcode@Knownsec 404 Team.
- What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. - Written by @breenmachine.
- CVE-2019-1306: ARE YOU MY INDEX? - Written by @yu5k3.
XSS
- DON'T TRUST THE DOM: BYPASSING XSS MITIGATIONS VIA SCRIPT GADGETS - Written by Sebastian Lekies, Krzysztof Kotowicz, and Eduardo Vela.
- ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else - Written by Mario Heiderich.
- How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) - Written by @marin_m.
- Query parameter reordering causes redirect page to render unsafe URL - Written by kenziy.
- Uber XSS via Cookie - Written by zhchbin.
- Stored XSS on Facebook - Written by Enguerran Gillier.
- DOM XSS – auth.uber.com - Written by StamOne_.
- Another XSS in Google Colaboratory - Written by Michał Bentkowski.
- XSS in Google Colaboratory + CSP bypass - Written by Michał Bentkowski.
- is filtered ? - Written by @strukt93.
- XSS-Auditor — the protector of unprotected and the deceiver of protected. - Written by @terjanq.
- XSS without parentheses and semi-colons - Written by @garethheyes.
- Upgrade self XSS to Exploitable XSS an 3 Ways Technic - Written by HAHWUL.
- Exploiting XSS with 20 characters limitation - Written by Jorge Lajara.
- $20000 Facebook DOM XSS - Written by @vinodsparrow.
SQL Injection
- GitHub Enterprise SQL Injection - Written by Orange.
- SQL injection in an UPDATE query - a bug bounty story! - Written by Zombiehelp54.
- Making a Blind SQL Injection a little less blind - Written by TomNomNom.
- Red Team Tales 0x01: From MSSQL to RCE - Written by Tarlogic.
- MySQL Error Based SQL Injection Using EXP - Written by @osandamalith.
- SQL INJECTION AND POSTGRES - AN ADVENTURE TO EVENTUAL RCE - Written by @denandz.
NoSQL Injection
- GraphQL NoSQL Injection Through JSON Types - Written by Pete.
FTP Injection
- XML Out-Of-Band Data Retrieval - Written by @a66at and Alexey Osipov.
- XXE OOB exploitation at Java 1.7+ - Written by Ivan Novikov.
XXE
- Evil XML with two encodings - Written by Arseniy Sharoglazov.
- Automating local DTD discovery for XXE exploitation - Written by Philippe Arteau.
- Exploiting XXE with local DTD files - Written by Arseniy Sharoglazov.
- Forcing XXE Reflection through Server Error Messages - Written by Antti Rantasaari.
- Pre-authentication XXE vulnerability in the Services Drupal module - Written by Renaud Dubourguais.
- What You Didn't Know About XML External Entities Attacks - Written by Timothy D. Morgan.
- XML Out-Of-Band Data Retrieval - Written by Timur Yunusov and Alexey Osipov.
- XXE in WeChat Pay Sdk ( WeChat leave a backdoor on merchant websites) - Written by Rose Jackcode.
- XXE OOB exploitation at Java 1.7+ (2014) - Exfiltration using FTP protocol - Written by Ivan Novikov.
- XXE OOB extracting via HTTP+FTP using single opened port - Written by skavans.
SSRF
- A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - Written by Orange.
- SSRF in https://imgur.com/vidgif/url - Written by aesteral.
- SSRF Tips - Written by xl7dev.
- PHP SSRF Techniques - Written by @themiddleblue.
- SSRF in Exchange leads to ROOT access in all instances - Written by @0xacb.
- Into the Borg – SSRF inside Google production network - Written by opnsec.
- Piercing the Veil: Server Side Request Forgery to NIPRNet access - Written by Alyssa Herrera.
- All you need to know about SSRF and how may we write tools to do auto-detect - Written by @Auxy233.
- AWS takeover through SSRF in JavaScript - Written by Gwen.
Web Cache Poisoning
- Bypassing Web Cache Poisoning Countermeasures - Written by @albinowax.
- Cache poisoning and other dirty tricks - Written by Wallarm.
Header Injection
URL
- [dev.twitter.com] XSS - Written by Sergey Bobrov.
- Phishing with Unicode Domains - Written by Xudong Zheng.
- Some Problems Of URLs - Written by Chris Palmer.
- Unicode Domains are bad and you should feel bad for supporting them - Written by VRGSEC.
Deserialization
OAuth
- Facebook OAuth Framework Vulnerability - Written by @AmolBaikar.
Others
- Inducing DNS Leaks in Onion Web Services - Written by @epidemics-scepticism.
- Stored XSS, and SSRF in Google using the Dataset Publishing Language - Written by @signalchaos.
- How I hacked Google’s bug tracking system itself for $15,600 in bounties - Written by @alex.birsan.
- Some Tricks From My Secret Group - Written by phithon.
Browser Exploitation
Frontend (like SOP bypass, URL spoofing, and something like that)
- IE11 Information disclosure - local file detection - Written by James Lee.
- JSON hijacking for the modern web - Written by portswigger.
- SOP bypass / UXSS – Stealing Credentials Pretty Fast (Edge) - Written by Manuel.
- Особенности Safari в client-side атаках - Written by Bo0oM.
- How do we Stop Spilling the Beans Across Origins? - Written by aaj at google.com and mkwst at google.com.
- Setting arbitrary request headers in Chromium via CRLF injection - Written by Michał Bentkowski.
- I’m harvesting credit card numbers and passwords from your site. Here’s how. - Written by David Gilbertson.
- The inception bar: a new phishing method - Written by jameshfisher.
- Bypassing Mobile Browser Security For Fun And Profit - Written by @rafaybaloch.
- The Cookie Monster in Your Browsers - Written by @filedescriptor.
- The world of Site Isolation and compromised renderer - Written by @shhnjk.
- Sending arbitrary IPC messages via overriding Function.prototype.apply - Written by @kinugawamasato.
- Take Advantage of Out-of-Scope Domains in Bug Bounty Programs - Written by @Abdulahhusam.
Backend (core of Browser implementation, and often refers to C or C++ part)
- Attacking JavaScript Engines - A case study of JavaScriptCore and CVE-2016-4622 - Written by [email protected].
- Exploiting a V8 OOB write. - Written by @halbecaf.
- SSD Advisory – Chrome Turbofan Remote Code Execution - Written by SecuriTeam Secure Disclosure (SSD).
- Look Mom, I don't use Shellcode - Browser Exploitation Case Study for Internet Explorer 11 - Written by @moritzj.
- PUSHING WEBKIT'S BUTTONS WITH A MOBILE PWN2OWN EXPLOIT - Written by @wanderingglitch.
- A Methodical Approach to Browser Exploitation - Written by RET2 SYSTEMS, INC.
- CVE-2017-2446 or JSC::JSGlobalObject::isHavingABadTime. - Written by Diary of a reverse-engineer.
- Breaking UC Browser - Written by Доктор Веб.
- Three roads lead to Rome - Written by @holynop.
- CLEANLY ESCAPING THE CHROME SANDBOX - Written by @tjbecker_.
PoCs
Database
- awesome-cve-poc - Curated list of CVE PoCs by @qazbnm456.
- js-vuln-db - Collection of JavaScript engine CVEs with PoCs by @tunz.
- Some-PoC-oR-ExP - 各种漏洞poc、Exp的收集或编写 by @coffeehb.
- uxss-db - Collection of UXSS CVEs with PoCs by @Metnew.
- SPLOITUS - Exploits & Tools Search Engine by @i_bo0om.
- Exploit Database - ultimate archive of Exploits, Shellcode, and Security Papers by Offensive Security.
Cheetsheets
- Capture the Flag CheatSheet - Written by @uppusaikiran.
- XSS Cheat Sheet - 2018 Edition - Written by @brutelogic.
Tools
Auditing
- A2SV - Auto Scanning to SSL Vulnerability by @hahwul.
- prowler - Tool for AWS security assessment, auditing and hardening by @Alfresco.
- slurp - Evaluate the security of S3 buckets by @hehnope.
Command Injection
- commix - Automated All-in-One OS command injection and exploitation tool by @commixproject.
Reconnaissance
OSINT - Open-Source Intelligence
- Censys - Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.
- FOCA - FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans by ElevenPaths.
- FOFA - Cyberspace Search Engine by BAIMAOHUI.
- gitrob - Reconnaissance tool for GitHub organizations by @michenriksen.
- GSIL - Github Sensitive Information Leakage(Github敏感信息泄露)by @FeeiCN.
- NSFOCUS - THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.
// compatibility
| Platforms | cli, api, web, mobile |
|---|---|
| Operating systems | — |
| AI compatibility | claude |
| License | — |
| Pricing | open-source |
| Language | Python |
// faq
What is awesome-web-security?
🐶 A curated list of Web Security materials and resources.. It is open-source on GitHub.
Is awesome-web-security free to use?
awesome-web-security is open-source, so it is free to use.
What category does awesome-web-security belong to?
awesome-web-security is listed under security in the Claudeers registry of Claude-compatible tools.
// embed badge
[](https://claudeers.com/awesome-web-security)
// retro hit counter
[](https://claudeers.com/awesome-web-security)
// reviews
// guestbook
// related in Security & Compliance
A complete AI agency at your fingertips - From frontend wizards to Reddit community ninjas, from whimsy injectors to reality checkers. Each agent is a specia…
π RuView turns commodity WiFi signals into real-time spatial intelligence, vital sign monitoring, and presence detection — all without a single pixel of video.
Prowler is the world’s most widely used open-source cloud security platform that automates security and compliance across any cloud environment.