Comment on page

Application Security

Reliable Resources for AppSec

Getting Started
Component
 Description
Back end Servers
The hardware and operating system that hosts all other components and are usually run on operating systems like Linux, Windows, or using Containers.
Web Servers
Web servers handle HTTP requests and connections. Some examples are Apache, NGINX, and IIS.
Databases
Databases (DBs) store and retrieve the web application data. Some examples of relational databases are MySQL, MSSQL, Oracle, PostgreSQL, while examples of non-relational databases include NoSQL and MongoDB.
Development Frameworks
Development Frameworks are used to develop the core Web Application. Some well-known frameworks include PHP, C#, Java, Python, and NodeJS JavaScript
Field References
General
Mobile
Security Research
Code Analysis
API
Threat Modeling
​OWASP WSTG 4.2 !
​Burpsuite: Commercial Web app testing tool !
​Awesome Application Security Checklist​
​OWASP Cheat Sheet Series​
​Awesome Web Hacking from @infoslack​
​Awesome Web Security​
​PortSwigger Web Security Academy Lab Files from @rkhal101​
​Hack-Tools Chrome Extension for Web Pentesting​
​OWASP Vulnerability Scanner Tool List​
​Awesome Hacking Resources​
​Damn Vulnerable PHP App​
​Vulnerable Java Application​
​OWASP Secrets Management focused vulnerable app​
​403 byebye​
​TCM Security PWST Lab Environment !
​Web Pentesting Checklist by Joas​
​
​
​
Mobile Application Testing Guides
​OWASP MASVS  -Mobile Application Security Verification Standard
​OWASP MSTG - Mobile Application Security Testing Guide
​OWASP MAS Checklist ​
iOS
​iOS Testing Guide by Security Innovation
​
​
Android
​Secure Coding guide by JSSEC
​Intro to Android Pentesting by HackTheBox​
​
​
​
​
​
​
​
​Bug Hunter Handbook​
​Awesome Bug Bounty Resources​
​Awesome Bug Bounty Hunting Tool​
​All About Bug Bounty Note Repo​
​BugHunter Handbook​
​Bug Bounty Wiki​
​VulnPlanet - Vulnerable code snippets with fixes
​
​
Top Programs
1.Bugcrowd
2.HackerOne
3.Intigriti
4.YesWeHack ⠵
5.Synack, Inc.
6.HackenProof | Web3 bug bounty platform 🇺🇦
7.Open Bug Bounty
8.Immunefi
9.Cobalt
10.Zerocopter
11.Yogosha
12.SafeHats
13.Vulnerability Research Labs, LLC
14.AntiHACKme Pte Ltd
15.RedStorm Information Security
16.Cyber Army Indonesia
17.Hacktrophy
18.Nordic Defender
19.Capture The Bug
20.Bugbounter
21.Detectify
22.BugBase
23.Code4rena
24.huntr
25.Pentabug
​
​SonarQube website and Git Repo​
​CodeCat - open-source tool to help find/track user input sinks and other security bugs
​Betterscan​
References
Resources
Text
Text
​OWASP API Security Top 10 Vulnerabilities​
​API Security Checklist​
​Keyhacks​
​Vulnerable API Instance by @raj-kumar-j​
​Hacking APIs book by Corey Ball​
​DVWS: Vulnerable application with web service and API​
​DVGA: Vulnerable GraphQL API application​
​API Workshop by Corey Ball​
​OWASP API Tool List​
​MindAPI - interactive Mind Map
​
​
Testing Tools
Tools
Text
Text
​Grapql-cop​
​graphql voyager -converts a response of an introspection query into a visual graph that maps
​InQL -can inspect the introspection query results and generate clean documentation in different formats (Burp Extension)
Online JSON Web Token (JWT) Tool/Reference !
​SOAPUI​
​Postman​
​Kubeshark - API Traffic Viewer for Kubernetes​
​Metlo - API security tool​
​KiteRunner​
​
​
​
​NIST SP 800-30​
​https://www.youtube.com/playlist?list=PLCVhBqLDKoOOZqKt74QI4pbDUnXSQo0nf​
​
Recon
Browser Add-ons
Burp Add-ons
WAF
Deobfuscation
Reconnaissance
​Final Recon (Web Reconnaissance) from @thewhiteh4t​
​Sublist3r​
​patator​
​ffuf​
​wfuzz​
​xnLinkFinder​
​WebOSINT​
​All in One Recon Tool (AORT)​
​katana by ProjectDiscovery​
​Domain to IP converter (Python) by @YSSVirus​
​Cariddi by @edoardott​
​
Directory Fuzzing
​CeWL​
​fzf - Use alias in CLI to easily discover installed wordlists
​SecLists - various lists
SubDomain/DNS Enumeration
​MayorSec DNS Scan !
​PureDNS​
​DNSrr​
​AquaTone​
​DNSReaper​
​
Extensions and Plugins
​HackTools Browser Extension Repo (Easier install from extension menu)​
​Penetration Testing Kit Browser Extension !
​Wappalyzer Browser Extension​
​Vulners Browser Extension​
​Awesome Burp Extensions​
​Burp Upload Scanner​
BurpSuite Plugins
Common
Text
​Nuclei burp plugin (in Bapp store) - generate nuclei template from burp requests
​HackBar Extension (in Bapp store) - Security testing Payloads
​IP Rotate Burp Extension (in BApp store)
​Bypass-WAF (in BAPP store)
​Autorize -  Automatic authorization enforcement detection
​Hackvertor – Handy type conversion
Additional Plugins
Burp Bounty – Profile-based scanner
Active Scan++ – Add more power to Burp’s Active Scanner
AuthMatrix – Authorization/PrivEsc checks
Broken Link Hijacking – For BLH (Broken Link Hijacking)
Collaborator Everywhere – Pingback/SSRF (Server-Side Request Forgery)
Command Injection Attacker
Content-Type Converter – Trying to bypass certain restrictions by changing Content-Type
Decoder Improved – More decoder features
Freddy – Deserialization
Flow – Better HTTP history
HTTP Request Smuggler
Hunt – Potential vuln identifier
InQL – GraphQL Introspection testing
J2EE Scan – Scanning J2EE apps
JSON/JS Beautifier
JSON Web Token Attacker
ParamMiner – Mine hidden parameters
Reflected File Download Checker
Reflected Parameter – Potential reflection
SAML Raider – SAML testing
Upload Scanner – File upload tester
Web Cache Deception Scanner
Detection and Evasions
​wafw00f from @enableSecurity​
---
---
JS, PHP, HTML Deobfuscation
​Online Javascript Obfuscator​
​JavaScript Console (test javascript code excution)
​Toptal JavaScript-Minifier​
​Beautifier (obfuscator/code editor for CSS, HTML and JS)
​JSNice (JS de-obfuscator)
​Prettier (obfuscator/code editor)
Common Attacks
XSS
LFI/RFI
SSRF
SSTI
SQLi
Clickjacking
​
​PortSwigger XSS Cheat Sheet !
​XSS Exploitatation Tool​
​Tiny XSS Payloads​
​D4rkXSS​
​
​
​
​LFI Tester​
​
​Blind SSRF Chains repo​
​
​TPLMap (Automated Template Injection) from @epinna
​SSTImap (Automated Template Injection) from @vladko312
​
​SqlMap: An SQL injection and database takeover tool !
​SQL Injection Cheatsheet​
​Advanced SQL Injection Cheatsheet !
​Ghauri​
​Userefuzz - SQLi Fuzzing tool​
​
​
​CSS Button Generator​
​CSS Version 3 Button Generator​
​Clickjacker - Online tool
​Click-Jack - cli tool
Advanced Attacks
Deserialization
​
​ysoerial for Java libraries​
​Java Deserialization CheatSheet​
​ysoserial for .NET libraries​
​PHP Generic Gadget chains (PHPGGC) - AKA "ysoserial for PHP"
​
​

Component	Description
Back end Servers	The hardware and operating system that hosts all other components and are usually run on operating systems like Linux, Windows, or using Containers.
Web Servers	Web servers handle HTTP requests and connections. Some examples are Apache, NGINX, and IIS.
Databases	Databases (DBs) store and retrieve the web application data. Some examples of relational databases are MySQL, MSSQL, Oracle, PostgreSQL, while examples of non-relational databases include NoSQL and MongoDB.
Development Frameworks	Development Frameworks are used to develop the core Web Application. Some well-known frameworks include PHP, C#, Java, Python, and NodeJS JavaScript

Resources	Text	Text
OWASP API Security Top 10 Vulnerabilities	API Security Checklist	Keyhacks
Vulnerable API Instance by @raj-kumar-j	Hacking APIs book by Corey Ball	DVWS: Vulnerable application with web service and API
DVGA: Vulnerable GraphQL API application	API Workshop by Corey Ball	OWASP API Tool List
MindAPI - interactive Mind Map

Tools	Text	Text
Grapql-cop	graphql voyager -converts a response of an introspection query into a visual graph that maps	InQL -can inspect the introspection query results and generate clean documentation in different formats (Burp Extension)
Online JSON Web Token (JWT) Tool/Reference !	SOAPUI	Postman
Kubeshark - API Traffic Viewer for Kubernetes	Metlo - API security tool	KiteRunner

Common	Text
Nuclei burp plugin (in Bapp store) - generate nuclei template from burp requests	HackBar Extension (in Bapp store) - Security testing Payloads
IP Rotate Burp Extension (in BApp store)	Bypass-WAF (in BAPP store)
Autorize - Automatic authorization enforcement detection	Hackvertor – Handy type conversion

Field Resources - Previous

Offensive-Cybersecurity

Next - Field Resources

Defensive-Cybersecurity

Last modified 3mo ago

OWASP WSTG 4.2 !	Burpsuite: Commercial Web app testing tool !	Awesome Application Security Checklist
OWASP Cheat Sheet Series	Awesome Web Hacking from @infoslack	Awesome Web Security
PortSwigger Web Security Academy Lab Files from @rkhal101	Hack-Tools Chrome Extension for Web Pentesting	OWASP Vulnerability Scanner Tool List
Awesome Hacking Resources	Damn Vulnerable PHP App	Vulnerable Java Application
OWASP Secrets Management focused vulnerable app	403 byebye	TCM Security PWST Lab Environment !
Web Pentesting Checklist by Joas

Secure Coding guide by JSSEC	Intro to Android Pentesting by HackTheBox

Bug Hunter Handbook	Awesome Bug Bounty Resources	Awesome Bug Bounty Hunting Tool
All About Bug Bounty Note Repo	BugHunter Handbook	Bug Bounty Wiki
VulnPlanet - Vulnerable code snippets with fixes

Final Recon (Web Reconnaissance) from @thewhiteh4t	Sublist3r	patator
ffuf	wfuzz	xnLinkFinder
WebOSINT	All in One Recon Tool (AORT)	katana by ProjectDiscovery
Domain to IP converter (Python) by @YSSVirus	Cariddi by @edoardott

HackTools Browser Extension Repo (Easier install from extension menu)	Penetration Testing Kit Browser Extension !	Wappalyzer Browser Extension
Vulners Browser Extension	Awesome Burp Extensions	Burp Upload Scanner

Online Javascript Obfuscator	JavaScript Console (test javascript code excution)	Toptal JavaScript-Minifier
Beautifier (obfuscator/code editor for CSS, HTML and JS)	JSNice (JS de-obfuscator)	Prettier (obfuscator/code editor)

PortSwigger XSS Cheat Sheet !	XSS Exploitatation Tool	Tiny XSS Payloads
D4rkXSS

SqlMap: An SQL injection and database takeover tool !	SQL Injection Cheatsheet	Advanced SQL Injection Cheatsheet !
Ghauri	Userefuzz - SQLi Fuzzing tool

ysoerial for Java libraries	Java Deserialization CheatSheet	ysoserial for .NET libraries
PHP Generic Gadget chains (PHPGGC) - AKA "ysoserial for PHP"