List of web application security

整理渗透测试、内网渗透、应急响应、密码字典、漏洞库、代码审计、渗透测试面试题相关项目

Automated Mongo database and NoSQL web application exploitation tool

Updates to this repository will continue to arrive until the number of links reaches 10000 links & 10000 pdf files .Learn Ethical Hacking and penetration testing .hundreds of ethical hacking & penetration testing & red team & cyber security & computer science resources.

移动应用安全检测清单

INFO-SPIDER 是一个集众多数据源于一身的爬虫工具箱🧰，旨在安全快捷的帮助用户拿回自己的数据，工具代码开源，流程透明。支持数据源包括GitHub、QQ邮箱、网易邮箱、阿里邮箱、新浪邮箱、Hotmail邮箱、Outlook邮箱、京东、淘宝、支付宝、中国移动、中国联通、中国电信、知乎、哔哩哔哩、网易云音乐、QQ好友、QQ群、生成朋友圈相册、浏览器浏览历史、12306、博客园、CSDN博客、开源中国博客、简书。

burpsuite cookbook

The OWASP ZAP core project

一款由 YSRC 开源的主机入侵检测系统

可基于Spring，灵活配置、易扩展、支持图片和声音的验证码框架。可分布式部署作为的验证码生成服务器和验证服务器。

Spring Boot JAR 安全加密运行工具，支持的原生JAR。

悟空扫描器

Wiki-like CTF write-ups repository, maintained by the community. 2017

乌云公开漏洞、知识库爬虫和搜索 crawl and search for wooyun.org public bug(vulnerability) and drops

cms识别

Web application bruteforcer

🤗更优雅的微信公众号订阅方式，支持私有化部署、微信公众号RSS生成（基于微信读书）v2.x

web API开放接口设计解决方案: 基础验签加密组件；AES + RSA；国密SM算法；API多版本管理等。

跨平台服务器文件安全监控软件，支持短信预警

通向网安之路首页

w3af: web application attack and audit framework, the open source web vulnerability scanner.

Advanced vulnerability scanning with Nmap NSE

This guide details creating a secure Linux production system. OpenSCAP (C2S/CIS, STIG).

t0data说安全

Swipe captcha of Android platform. Android 平台的滑动验证码。

PHP Frontend to work with the SQLMAP JSON API Server (sqlmapapi.py) to allow for a Web GUI to drive near full functionality of SQLMAP!

Software-Security-Learning

StuQ 程序员技能图谱

分享在建设安全管理体系、ISO27001、等级保护、安全评审过程中的点点滴滴

A Collection of Secure Mobile Development Best Practices

SecLists is the security tester's companion. It is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.

Easy automated vulnerability scanning, reporting and analysis

安全思维导图集合

Software Defined Perimeter using readily available Open Source components

ScanCode detects licenses, copyrights, package manifests & dependencies and more by scanning code ... to discover and inventory open source and third-party packages used in your code.

收集一些比较优秀的开源安全项目，以帮助甲方安全从业人员构建企业安全能力。

🧯风险控制笔记，适用于互联网企业

Red Teaming Tactics and Techniques

Raptor - WAF - Web application firewall using DFA [ Current version ]

Curated list of public penetration testing reports released by several consulting firms

Proteus is an anti-reverse engineering system that provides protection from disassembly and debugging for software written in Java and C/C++.

PENTEST-WIKI is a free online security knowledge library for pentesters / researchers. If you have a good idea, please share it with others.

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

Simple yet powerful CAPTCHA library written in Java

Awesome pre-trained models toolkit based on PaddlePaddle.（180+ models including Image, Text, Audio and Video with Easy Inference & Serving deployment)

Security engine for Java (authentication, authorization, multi frameworks): OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...

A Java Nmap wrapper

My collection of nmap NSE scripts

AGPL web-based DNS management interface in PHP

MusicFree 源插件订阅聚合器 - 订阅全网大全

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence.

Minimal Mistakes GitHub Pages site starter

各种安全相关思维导图整理收集

Generation of diagrams like flowcharts or sequence diagrams from text in a similar manner as markdown

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark

Since JSONP and HTML5 Messaging is becoming used more, I put together a JavaScript library of security functions to help protect against things like DOM Based XSS.

java source code danger function identify prog

Universal web application security sensor intended for real-time monitoring and defense.

A collection of Burpsuite Intruder payloads, fuzz lists and file uploads

A collection of HTTP response headers to elevate the security of your web app!

个人备份

HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors

a GUI for Sqlmap written in python

本程序旨在为安全应急响应人员对Linux主机排查时提供便利，实现主机侧Checklist的自动全面化检测，根据检测结果自动数据聚合，进行黑客攻击路径溯源。

Automated System Hardening Framework

Golang security checker

HTTP Header Analysis Vulnerability Tool

一个fuzzdb扩展库

Official FuzzDB project repository

An awesome, fully responsive jQuery slider plugin

The FindBugs plugin for security audits of Java web applications and Android applications. (Also work with Scala projects)

文件监控

FileDisk和Filemon的MFC开源码

Platform to host Capture the Flag competitions

Docker security analysis & hacking tools

Virtual environment for learning DevSecOps

Some setup scripts for security research tools.

Cobra（眼镜蛇） - static code security scan & analyse (白盒- 代码安全审计系统)

知网(CNKI)文献下载及文献速览爬虫

cms识别

Chrome Apps

a tool to perform static analysis of known vulnerabilities in docker images/containers

Penetration Testing/Security Cheatsheets

CDK is an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency. It comes with penetration tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

多种验证码的java实现：原生态jsp和servlet生成验证码、Kaptcha组件生成验证码、中文验证码、算术验证码等

An entry level resource to learning bug bounty.

XSS平台 CTF工具 Web安全工具

爆破字典

Original code about binary encryption from phrack

project barista - open source license and vulnerability management

PHP Webshell with handy features

Home of blockchain and distributed ledger projects like Azure Blockchain as a Service DevTest labs artifacts.

Aakash Choudhary Personal website

系统管理员资源大全中文版，备份/克隆软件、云计算/云存储、协作软件、配置管理、日志管理、监控、项目管理等

A curated list of Microservice Architecture related principles and technologies.

Java资源大全中文版，包括开发库、开发工具、网站、博客、微信、微博等，由伯乐在线持续更新。

An authoritative list of awesome devsecops tools with the help from community experiments and contributions.

A curated list of CTF frameworks, libraries, resources and softwares

A comprehensive curated list of available Bug Bounty & Disclosure Programs and Write-ups.

Automated Security Testing For REST API's

A software characterization source code analyzer that helps you understand what a program does by identifying interesting features and characteristics using static analysis and a customizable json based rules engine.

Android APK 加壳保护

AuQuery-based automated integration testing

互联网企业安全高级指南读书笔记脑图 - http://www.mottoin.com/95816.html & http://www.mottoin.com/95828.html Author：hblf@MottoIN Team

If you've ever picked up a book on Wireshark or network monitoring, they almost all cover about the same information. They'll show you, "Here's an ARP frame, here's an IP packet, here's a web request..." But what they don't go into is: when you open a Pcap file for the first time, where do you start? What are the things that you look for? And how do you find them? So my goal here is to help you bridge that gap between having a basic understanding of network protocol analyzers, and using them to solve real world problems.