716 Open source projects that are alternatives of or similar to Bxss

One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️

XSS in pastebin.com and reddit.com via unsanitized markdown output

A big list of Android Hackerone disclosed reports and other resources.

Automated reconnaissance wrapper — TomNomNom's meg on steroids. [DEPRECATED]

The fastest dork scanner written in Go.

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.

Pentest: Subdomains enumeration tool for penetration testers.

Hetty is an HTTP toolkit for security research.

Turn your VPS into an attack box

A list of interesting payloads, tips and tricks for bug bounty hunters.

Astra is a tool to find URLs and secrets inside a webpage/files

Leverage ASN to look up IP addresses (IPv4 & IPv6) owned by a specific organization for reconnaissance purposes, then run port scanning on it.

Find cloud assets that no one wants exposed 🔎 ☁️

Some of the questions which i was asked when i was giving interviews for Application/Product Security roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer

Decode All Bases - Base Scheme Decoder

Tool that will request the public disclosures on a specific HackerOne program and show them in a localhost webserver.

Vaf is a cross-platform very advanced and fast web fuzzer written in nim

Related subdomains finder

An OSINT tool to find contacts in order to report security vulnerabilities.

Find exposed API keys based on RegEx and get exploitation methods for some of keys that are found

Little Bug Bounty & Hacking Tools⚔️

Active Directory ACL Visualizer and Explorer - who's really Domain Admin?

ffffffff0x 团队维护的安全知识框架,内容包括不仅限于 web安全、工控安全、取证、应急、蓝队设施部署、后渗透、Linux安全、各类靶机writup

Subcert is an subdomain enumeration tool, that finds all the subdomains from certificate transparency logs.

🎯 XML External Entity (XXE) Injection Payload List

Multithreaded Plugin based vulnerability scanner for mass detection of web-based applications vulnerabilities

Monitoring your Slack workspaces for sensitive information

A little collection of fun and creative proof of concepts to demonstrate the potential impact of a security vulnerability.

Takes a single wordlist item and tests it one by one over a large collection of websites before moving onto the next. Create signatures to cross-check vulnerabilities over multiple hosts.

Auto setup is a bash script compatible with Debian based distributions to install and setup necessary programs.

HTTP Request Smuggling over HTTP/2 Cleartext (h2c)

qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz query strings and easily identify vulnerabilities.

A fast DOM based XSS vulnerability scanner with simplicity.

Monitoring GitLab for sensitive data shared publicly

Awesome cloud enumerator

all manner of wordlists

Monitoring GitHub for sensitive data shared publicly

A collection of some of my scripts

Toolset for detecting reflected xss in websites

An open-source listing of cybersecurity technology mapped to the NIST Cybersecurity Framework (CSF)

MagicRecon is a powerful shell script to maximize the recon and data collection process of an objective and finding common vulnerabilities, all this saving the results obtained in an organized way in directories and with various formats.

A collection of over 5.1 million sub-domains and assets belonging to public bug bounty programs, compiled into a repo, for performing bulk operations.

A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including Python 3.10.*)

Pass in a list of URLs with query strings, get back a unique list of URLs and query string combinations

This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform.

goverview - Get an overview of the list of URLs

Information Security Library

XSS Payload without Anything.

This document proposes a way of standardising the structure, language, and grammar used in security policies.

sub domain wild card filtering tool

You didn't think I'd go and leave the blue team out, right?

A simple python script which can check HTTP status of branch of URLs/Subdomains and grab URLs/Subdomain title

Designed to be installed on a fresh install of raspbian on a raspberry pi, by combining Respounder (Responder detection) and Artillery (port and service spoofing) for network deception, this tool allows you to detect an attacker on the network quickly by weeding out general noisy alerts with only those that matter.

Community Workflow for the Osmedeus Engine that describes basic reconnaissance methodology for you to build your own

A Tool for Domain Flyovers

Scan for open AWS S3 buckets and dump the contents

Secret and/ credential patterns used for gf.

Utility for hunting UAC bypasses or COM/DLL hijacks that alerts on the exported function that was consumed.

A Deliberately Insecure Web Application

Misc. Public Reports of Penetration Testing and Security Audits.