The complete and regularly updated list of the best resources to learn Web Security

Contents

Forums

Resources

Tips

XSS - Cross-Site Scripting

CSV Injection

SQL Injection

Command Injection

ORM Injection

FTP Injection

XXE - XML eXternal Entity

CSRF - Cross-Site Request Forgery

SSRF - Server-Side Request Forgery

Rails

AngularJS

SSL/TLS

Webmail

NFS

AWS

Fingerprint

Sub Domain Enumeration

Crypto

Web Shell

OSINT

Books

Evasions

CSP

WAF

JSMVC

Authentication

Tricks

CSRF

Remote Code Execution

XSS

SQL Injection

NoSQL Injection

FTP Injection

XXE

SSRF

Header Injection

URL

Others

Browser Exploitation

Frontend (like CSP bypass, URL spoofing, and something like that)

Backend (core of Browser implementation, and often refers to C or C++ part)

PoCs

JavaScript

Tools

Auditing

  • prowler - Tool for AWS security assessment, auditing and hardening by @Alfresco.
  • A2SV - Auto Scanning to SSL Vulnerability by @hahwul.

Reconnaissance

OSINT - Open-Source Intelligence

Sub Domain Enumeration

Code Generating

Fuzzing

Penetrating

Offensive

XSS - Cross-Site Scripting

  • XSStrike - XSStrike is a program which can fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs by @UltimateHackers.
  • xssor2 - XSS'OR - Hack with JavaScript by @evilcos.

SQL Injection

  • sqlmap - Automatic SQL injection and database takeover tool.

Template Injection

  • tqlmap - Code and Server-Side Template Injection Detection and Exploitation Tool by @epinna.

Leaking

Detecting

Preventing

  • js-xss - Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by @leizongmin.

Proxy

  • Charles - HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
  • mitmproxy - Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by @mitmproxy.

Webshell

Disassembler

Decompiler

Others

  • Dnslogger - DNS Logger by @iagox86.
  • CyberChef - The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis - by @GCHQ.

Social Engineering Database

Blogs

Twitter Users

  • @HackwithGitHub - Initiative to showcase open source hacking tools for hackers and pentesters
  • @filedescriptor - Active penetrator often tweets and writes useful articles
  • @cure53berlin - Cure53 is a German cybersecurity firm.
  • @XssPayloads - The wonderland of JavaScript unexpected usages, and more.
  • @kinugawamasato - Japanese web penetrator.
  • @h3xstream - Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.
  • @garethheyes - English web penetrator.
  • @hasegawayosuke - Japanese javascript security researcher.

Practices

Application

AWS

XSS

ModSecurity / OWASP ModSecurity Core Rule Set

Community

Miscellaneous

Code of Conduct

Help your friends learn Websecurity. Go share!

I'm really pleased with the service you guys are providing.
Alex Melehy
Alex Melehy
Woodpecker, USA
I most likely will not use another company.
Kevin Allen
Kevin Allen
Namaste Fit Club, USA
Absolute expert. I 100% recommend.
Sonia Baibou
Sonia Baibou
ElleCode, France
One of the best engineers we've worked with.
Andrew Reedy
Andrew Reedy
Reachify, USA
I’m blown away. We need to clone him!
Ryan McClure
Ryan McClure
Reachify, USA
Thank you!!! You're so responsive.
Eric Masella
Eric Masella
Let's Play Nice, USA
We need more people like you!
Adil Virani
Adil Virani
Solomid, USA
A phenomenal programmer. Extremely respectful of my time.
Taylor Raboin
Taylor Raboin
Tay.is, USA
A unicorn who understands startups, design, mobile, and marketing.
Carl Carpenter
Carl Carpenter
Talksho, USA
An excellent front-end developer. Works using scrum methodology.
Federico Dibenedetto
Federico Dibenedetto
Wisboo, Argentina
Finished the job well ahead of schedule.
Giorgio Murru
Giorgio Murru
GM, France
Never lets me down, always exceeds my expectations.
Samuel Vicente
Samuel Vicente
ArtibleCity
Aim to be the best developer in the world? Join Us!