Top 65 web-security open source projects

Clear all your logs in [linux/windows] servers 🛡️

ScanT3r - Web Security Scanner

File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.

Awesome Object Capabilities and Capability Security

👨‍🏫 Mike's Web Security Course

Runs the default Google Lighthouse tests with additional security tests

DOMXSS Scanner is an online tool to scan source code for DOM based XSS vulnerabilities

Security Testing Scripts for JWT

🛡️ Make your web services secure by default !

Python library and CLI for the Bug Bounty Recon API

A Burpsuite plugin (BApp) to aid in the detection of scripts being loaded from over 23000 malicious cryptocurrency mining domains (cryptojacking).

Source code for Hacker101.com - a free online web and mobile security class.

CS 253 Web Security course at Stanford University

A service that can track data breaches like "Have I Been Pwned", but it is specific for Taiwan.

JavaScript library for building web-based applications that employ secure multi-party computation (MPC).

Open IP cameras in IPv4

Human and machine readable web vulnerability testing format

Cross-Site Scripting (XSS) command line tool for testing lists of XSS payloads on web apps.

A container repository for my public web hacks!

A curated list of various bug bounty tools

HTTPS Frontend Hijack

Awesome Node.js Security resources

🏴‍☠️ Tools for pentesting, CTFs & wargames. 🏴‍☠️

HTTP Cache Poisoning Demo

ASP.NET View State Decoder

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

A Router WiFi key recovery/cracking tool with a twist.

A guided mutation-based fuzzer for ML-based Web Application Firewalls

PrestaShop (1.6.x <= 1.6.1.23 or 1.7.x <= 1.7.4.4) Back Office Remote Code Execution (CVE-2018-19126)

A list of resources for those interested in getting started in bug bounties

A list of all FTP servers in IPv4 that allow anonymous logins.

📚Translate the distinct technical blogs. Please star or watch. Welcome to join me.

Fast CORS misconfiguration vulnerabilities scanner🍻

Making Favicon.ico based Recon Great again !

A tiny web auditor with strong opinions.

🕷️ A Git source leak exploit tool that restores the entire Git repository, including data from stash, for white-box auditing and analysis of developers' mind

Burp-Automator: A Burp Suite Automation Tool with Slack Integration. It can be used with Jenkins and Selenium to automate Dynamic Application Security Testing (DAST).

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other.

Web application vulnerability scanner

This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack

java source code static code analysis and danger function identify prog

A list of web application security

Personal CTF Toolkit

🎯 PHP / ASP - Shell Backdoor List 🎯

Good resources about web security that I have read.

Raven-Storm is a powerful DDoS toolkit for penetration tests, including attacks for several protocols written in python. Takedown many connections using several exotic and classic protocols.

📚 An ultimate collection wordlists of the best-known CMS

This script is designed to help expedite a web application assessment by automating some of the assessment steps (e.g., running nmap, sublist3r, metasploit, etc.)

A defense tool - detect web shells in local directories via md5sum

A simple PHP application to learn SQL Injection detection and exploitation techniques.

A Collection of articles, videos, blogs, talks and other materials on Node.js Security

開源的正體中文 Web Hacking 學習資源 - 程式安全 2021 Fall

Deliberately vulnerable scripts for Web Security training

A Deliberately Insecure Web Application

PoC + Docker Environment for Python PIL/Pillow Remote Shell Command Execution via Ghostscript CVE-2018-16509

A Python library to utilize AWS API Gateway's large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.

Stop half-done API specifications! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by validating your API specifications.

🐛 A plug-in of sublime 2/3 which is able to find PHP vulnerabilities

Modified Nuclei Templates Version to FUZZ Host Header