跳转到主要内容

标签(标签)

资源精选(342) Go开发(108) Go语言(103) Go(99) angular(82) LLM(75) 大语言模型(63) 人工智能(53) 前端开发(50) LangChain(43) golang(43) 机器学习(39) Go工程师(38) Go程序员(38) Go开发者(36) React(33) Go基础(29) Python(24) Vue(22) Web开发(20) Web技术(19) 精选资源(19) 深度学习(19) Java(18) ChatGTP(17) Cookie(16) android(16) 前端框架(13) JavaScript(13) Next.js(12) 安卓(11) 聊天机器人(10) typescript(10) 资料精选(10) NLP(10) 第三方Cookie(9) Redwoodjs(9) LLMOps(9) Go语言中级开发(9) 自然语言处理(9) PostgreSQL(9) 区块链(9) mlops(9) 安全(9) 全栈开发(8) ChatGPT(8) OpenAI(8) Linux(8) AI(8) GraphQL(8) iOS(8) 软件架构(7) Go语言高级开发(7) AWS(7) C++(7) 数据科学(7) whisper(6) Prisma(6) 隐私保护(6) RAG(6) JSON(6) DevOps(6) 数据可视化(6) wasm(6) 计算机视觉(6) 算法(6) Rust(6) 微服务(6) 隐私沙盒(5) FedCM(5) 语音识别(5) Angular开发(5) 快速应用开发(5) 提示工程(5) Agent(5) LLaMA(5) 低代码开发(5) Go测试(5) gorm(5) REST API(5) 推荐系统(5) WebAssembly(5) GameDev(5) CMS(5) CSS(5) machine-learning(5) 机器人(5) 游戏开发(5) Blockchain(5) Web安全(5) Kotlin(5) 低代码平台(5) 机器学习资源(5) Go资源(5) Nodejs(5) PHP(5) Swift(5) 智能体(4) devin(4) Blitz(4) javascript框架(4) Redwood(4) GDPR(4) 生成式人工智能(4) Angular16(4) Alpaca(4) 编程语言(4) SAML(4) JWT(4) JSON处理(4) Go并发(4) kafka(4) 移动开发(4) 移动应用(4) security(4) 隐私(4) spring-boot(4) 物联网(4) nextjs(4) 网络安全(4) API(4) Ruby(4) 信息安全(4) flutter(4) 专家智能体(3) Chrome(3) CHIPS(3) 3PC(3) SSE(3) 人工智能软件工程师(3) LLM Agent(3) Remix(3) Ubuntu(3) GPT4All(3) 软件开发(3) 问答系统(3) 开发工具(3) 最佳实践(3) RxJS(3) SSR(3) Node.js(3) Dolly(3) 移动应用开发(3) 低代码(3) IAM(3) Web框架(3) CORS(3) 基准测试(3) Go语言数据库开发(3) Oauth2(3) 并发(3) 主题(3) Theme(3) earth(3) nginx(3) 软件工程(3) azure(3) keycloak(3) 生产力工具(3) gpt3(3) 工作流(3) C(3) jupyter(3) 认证(3) prometheus(3) GAN(3) Spring(3) 逆向工程(3) 应用安全(3) Docker(3) Django(3) R(3) .NET(3) 大数据(3) Hacking(3) 渗透测试(3) C++资源(3) Mac(3) 微信小程序(3) Python资源(3) JHipster(3) 大型语言模型(2) 语言模型(2) 可穿戴设备(2) JDK(2) SQL(2) Apache(2) Hashicorp Vault(2) Spring Cloud Vault(2) Go语言Web开发(2) Go测试工程师(2) WebSocket(2) 容器化(2) AES(2) 加密(2) 输入验证(2) ORM(2) Fiber(2) Postgres(2) Gorilla Mux(2) Go数据库开发(2) 模块(2) 泛型(2) 指针(2) HTTP(2) PostgreSQL开发(2) Vault(2) K8s(2) Spring boot(2) R语言(2) 深度学习资源(2) 半监督学习(2) semi-supervised-learning(2) architecture(2) 普罗米修斯(2) 嵌入模型(2) productivity(2) 编码(2) Qt(2) 前端(2) Rust语言(2) NeRF(2) 神经辐射场(2) 元宇宙(2) CPP(2) 数据分析(2) spark(2) 流处理(2) Ionic(2) 人体姿势估计(2) human-pose-estimation(2) 视频处理(2) deep-learning(2) kotlin语言(2) kotlin开发(2) burp(2) Chatbot(2) npm(2) quantum(2) OCR(2) 游戏(2) game(2) 内容管理系统(2) MySQL(2) python-books(2) pentest(2) opengl(2) IDE(2) 漏洞赏金(2) Web(2) 知识图谱(2) PyTorch(2) 数据库(2) reverse-engineering(2) 数据工程(2) swift开发(2) rest(2) robotics(2) ios-animation(2) 知识蒸馏(2) 安卓开发(2) nestjs(2) solidity(2) 爬虫(2) 面试(2) 容器(2) C++精选(2) 人工智能资源(2) Machine Learning(2) 备忘单(2) 编程书籍(2) angular资源(2) 速查表(2) cheatsheets(2) SecOps(2) mlops资源(2) R资源(2) DDD(2) 架构设计模式(2) 量化(2) Hacking资源(2) 强化学习(2) flask(2) 设计(2) 性能(2) Sysadmin(2) 系统管理员(2) Java资源(2) 机器学习精选(2) android资源(2) android-UI(2) Mac资源(2) iOS资源(2) Vue资源(2) flutter资源(2) JavaScript精选(2) JavaScript资源(2) Rust开发(2) deeplearning(2) RAD(2)

不用说,大多数网站都存在各种类型的错误,最终可能导致漏洞。 为什么会经常发生这种情况? 可能涉及许多因素,包括配置错误、工程师安全技能不足等。为了解决这个问题,这里有一个精选的网络安全材料和资源列表,用于学习尖端渗透技术,我强烈建议您阅读这篇文章“ 所以你想成为一名网络安全研究员?” 第一的。

Contents

Digests

Forums

Introduction

XSS - Cross-Site Scripting

Prototype Pollution

CSV Injection

SQL Injection

Command Injection

ORM Injection

FTP Injection

XXE - XML eXternal Entity

CSRF - Cross-Site Request Forgery

Clickjacking

SSRF - Server-Side Request Forgery

Web Cache Poisoning

Relative Path Overwrite

Open Redirect

Security Assertion Markup Language (SAML)

Upload

Rails

AngularJS

ReactJS

SSL/TLS

Webmail

NFS

AWS

Azure

Fingerprint

Sub Domain Enumeration

Crypto

Web Shell

OSINT

DNS Rebinding

Deserialization

OAuth

JWT

Evasions

XXE

CSP

WAF

JSMVC

Authentication

Tricks

CSRF

Clickjacking

Remote Code Execution

XSS

SQL Injection

NoSQL Injection

FTP Injection

XXE

SSRF

Web Cache Poisoning

Header Injection

URL

Deserialization

OAuth

Others

Browser Exploitation

Frontend (like SOP bypass, URL spoofing, and something like that)

Backend (core of Browser implementation, and often refers to C or C++ part)

PoCs

Database

Cheetsheets

Tools

Auditing

Command Injection

Reconnaissance

OSINT - Open-Source Intelligence

  • Shodan - Shodan is the world's first search engine for Internet-connected devices by @shodanhq.
  • Censys - Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.
  • urlscan.io - Service which analyses websites and the resources they request by @heipei.
  • ZoomEye - Cyberspace Search Engine by @zoomeye_team.
  • FOFA - Cyberspace Search Engine by BAIMAOHUI.
  • NSFOCUS - THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.
  • Photon - Incredibly fast crawler designed for OSINT by @s0md3v.
  • FOCA - FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans by ElevenPaths.
  • SpiderFoot - Open source footprinting and intelligence-gathering tool by @binarypool.
  • xray - XRay is a tool for recon, mapping and OSINT gathering from public networks by @evilsocket.
  • gitrob - Reconnaissance tool for GitHub organizations by @michenriksen.
  • GSIL - Github Sensitive Information Leakage(Github敏感信息泄露)by @FeeiCN.
  • raven - raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin by @0x09AL.
  • ReconDog - Reconnaissance Swiss Army Knife by @s0md3v.
  • Databases - start.me - Various databases which you can use for your OSINT research by @technisette.
  • peoplefindThor - the easy way to find people on Facebook by [postkassen](mailto:postkassen@oejvind.dk?subject=peoplefindthor.dk comments).
  • tinfoleak - The most complete open-source tool for Twitter intelligence analysis by @vaguileradiaz.
  • Raccoon - High performance offensive security tool for reconnaissance and vulnerability scanning by @evyatarmeged.
  • Social Mapper - Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf) by @SpiderLabs.
  • espi0n/Dockerfiles - Dockerfiles for various OSINT tools by @espi0n.

Sub Domain Enumeration

Code Generating

Fuzzing

  • wfuzz - Web application bruteforcer by @xmendez.
  • charsetinspect - Script that inspects multi-byte character sets looking for characters with specific user-defined properties by @hack-all-the-things.
  • IPObfuscator - Simple tool to convert the IP to a DWORD IP by @OsandaMalith.
  • domato - DOM fuzzer by @google.
  • FuzzDB - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
  • dirhunt - Web crawler optimized for searching and analyzing the directory structure of a site by @nekmo.
  • ssltest - Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by Qualys SSL Labs.
  • fuzz.txt - Potentially dangerous files by @Bo0oM.

Scanning

  • wpscan - WPScan is a black box WordPress vulnerability scanner by @wpscanteam.
  • JoomlaScan - Free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan by @drego85.
  • WAScan - Is an open source web application security scanner that uses "black-box" method, created by @m4ll0k.
  • Nuclei - Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use by @projectdiscovery.

Penetration Testing

Offensive

XSS - Cross-Site Scripting

  • beef - The Browser Exploitation Framework Project by beefproject.
  • JShell - Get a JavaScript shell with XSS by @s0md3v.
  • XSStrike - XSStrike is a program which can fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs by @s0md3v.
  • xssor2 - XSS'OR - Hack with JavaScript by @evilcos.
  • csp evaluator - A tool for evaluating content-security-policies by Csper.

SQL Injection

  • sqlmap - Automatic SQL injection and database takeover tool.

Template Injection

  • tplmap - Code and Server-Side Template Injection Detection and Exploitation Tool by @epinna.

XXE

Cross Site Request Forgery

Server-Side Request Forgery

Leaking

Detecting

  • sqlchop - SQL injection detection engine by chaitin.
  • xsschop - XSS detection engine by chaitin.
  • retire.js - Scanner detecting the use of JavaScript libraries with known vulnerabilities by @RetireJS.
  • malware-jail - Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction by @HynekPetrak.
  • repo-supervisor - Scan your code for security misconfiguration, search for passwords and secrets.
  • bXSS - bXSS is a simple Blind XSS application adapted from cure53.de/m by @LewisArdern.
  • OpenRASP - An open source RASP solution actively maintained by Baidu Inc. With context-aware detection algorithm the project achieved nearly no false positives. And less than 3% performance reduction is observed under heavy server load.
  • GuardRails - A GitHub App that provides security feedback in Pull Requests.

Preventing

  • DOMPurify - DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG by Cure53.
  • js-xss - Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by @leizongmin.
  • Acra - Client-side encryption engine for SQL databases, with strong selective encryption, SQL injections prevention and intrusion detection by @cossacklabs.
  • Csper - A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by Csper.

Proxy

  • Charles - HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
  • mitmproxy - Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by @mitmproxy.

Webshell

Disassembler

Decompiler

DNS Rebinding

  • DNS Rebind Toolkit - DNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network (LAN) by @brannondorsey
  • dref - DNS Rebinding Exploitation Framework. Dref does the heavy-lifting for DNS rebinding by @mwrlabs
  • Singularity of Origin - It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine by @nccgroup
  • Whonow DNS Server - A malicious DNS server for executing DNS Rebinding attacks on the fly by @brannondorsey

Others

Social Engineering Database

Blogs

Twitter Users

  • @HackwithGitHub - Initiative to showcase open source hacking tools for hackers and pentesters
  • @filedescriptor - Active penetrator often tweets and writes useful articles
  • @cure53berlin - Cure53 is a German cybersecurity firm.
  • @XssPayloads - The wonderland of JavaScript unexpected usages, and more.
  • @kinugawamasato - Japanese web penetrator.
  • @h3xstream - Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.
  • @garethheyes - English web penetrator.
  • @hasegawayosuke - Japanese javascript security researcher.
  • @shhnjk - Web and Browsers Security Researcher.

Practices

Application

AWS

XSS

ModSecurity / OWASP ModSecurity Core Rule Set

Community

Miscellaneous

原文:https://github.com/qazbnm456/awesome-web-security