This list is for anyone wishing to learn about web application security but do not have a starting point.

You can help by sending Pull Requests to add more information.

If you're not inclined to make PRs you can tweet me at @infoslack

Table of Contents

• Books
• Documentation
• Tools
• Cheat Sheets
• Docker
• Vulnerabilities
• Courses
• Online Hacking Demonstration Sites
• Labs
• SSL
• Security Ruby on Rails

Books

• http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/8126533404/ The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
• http://www.amazon.com/Hacking-Web-Apps-Preventing-Application/dp/159749951X/ Hacking Web Apps: Detecting and Preventing Web Application Security Problems
• http://www.amazon.com/Hacking-Exposed-Web-Applications-Third/dp/0071740643/ Hacking Exposed Web Applications
• http://www.amazon.com/SQL-Injection-Attacks-Defense-Second/dp/1597499633/ SQL Injection Attacks and Defense
• http://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886/ The Tangled WEB: A Guide to Securing Modern Web Applications
• http://www.amazon.com/Web-Application-Obfuscation-Evasion-Filters/dp/1597496049/ Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'
• http://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/ XSS Attacks: Cross Site Scripting Exploits and Defense
• http://www.amazon.com/Browser-Hackers-Handbook-Wade-Alcorn/dp/1118662091/ The Browser Hacker’s Handbook
• http://www.amazon.com/Basics-Web-Hacking-Techniques-Attack/dp/0124166008/ The Basics of Web Hacking: Tools and Techniques to Attack the Web
• http://www.amazon.com/Web-Penetration-Testing-Kali-Linux/dp/1782163166/ Web Penetration Testing with Kali Linux
• http://www.amazon.com/Web-Application-Security-Beginners-Guide/dp/0071776168/ Web Application Security, A Beginner's Guide
• https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/ Hacking: The Art of Exploitation
• https://www.crypto101.io/ - Crypto 101 is an introductory course on cryptography
• http://www.offensive-security.com/metasploit-unleashed/ - Metasploit Unleashed
• http://www.cl.cam.ac.uk/~rja14/book.html - Security Engineering
• https://www.feistyduck.com/library/openssl-cookbook/ - OpenSSL Cookbook
• https://www.manning.com/books/real-world-cryptography - Learn and apply cryptographic techniques.
• https://www.manning.com/books/making-sense-of-cyber-security - A guide to the key concepts, terminology, and technologies of cybersecurity perfect for anyone planning or implementing a security strategy.
• https://www.manning.com/books/cyber-security-career-guide - Kickstart a career in cyber security by learning how to adapt your existing technical and non-technical skills.
• https://www.manning.com/books/secret-key-cryptography - A book about cryptographic techniques and Secret Key methods.
• https://www.manning.com/books/application-security-program-handbook - This practical book is a one-stop guide to implementing a robust application security program.
• https://www.manning.com/books/cyber-threat-hunting - Practical guide to cyber threat hunting.
• https://nostarch.com/bug-bounty-bootcamp - Bug Bounty Bootcamp
• https://nostarch.com/hacking-apis - Hacking APIs
• https://www.manning.com/books/grokking-web-application-security - A book about building web apps that are ready for and resilient to any attack.

Documentation

• https://www.owasp.org/ - Open Web Application Security Project
• http://www.pentest-standard.org/ - Penetration Testing Execution Standard
• http://www.binary-auditing.com/ - Dr. Thorsten Schneider’s Binary Auditing
• https://appsecwiki.com/ - Application Security Wiki is an initiative to provide all Application security related resources to Security Researchers and developers at one place.
• AppSec Santa - Independent comparison of 129+ web application security tools across SAST, DAST, SCA, and more.

Tools

• https://github.com/bad-antics/nullsec-linux - NullSec Linux - Security distribution with pre-configured web application testing tools

• https://github.com/bad-antics/nullsec-webfuzz - NullSec WebFuzz - Web application fuzzing framework

• https://www.deepinfo.com/ - Deepinfo Attack Surface Platform discovers all your digital assets, monitors them 24/7, detects any issues, and notifies you quickly so you can take immediate action.

  • https://github.com/bountyyfi/lonkero - Enterprise-grade web vulnerability scanner with 60+ attack modules, built in Rust for penetration testing and security assessments.

• https://spyse.com/ - OSINT search engine that provides fresh data about the entire web, storing all data in its own DB, interconnect finding data and has some cool features.

• http://www.metasploit.com/ - World's most used penetration testing software

• https://findsubdomains.com - Online subdomains scanner service with lots of additional data. works using OSINT.

• https://github.com/BlessedRebuS/Krawl - Cloud-native Web deception server and anti-crawler.

• https://github.com/bjeborn/basic-auth-pot HTTP Basic Authentication honeyPot.

• http://www.arachni-scanner.com/ - Web Application Security Scanner Framework

• https://github.com/sullo/nikto - Nikto web server scanner

• http://www.tenable.com/products/nessus-vulnerability-scanner - Nessus Vulnerability Scanner

• http://www.portswigger.net/burp/intruder.html - Burp Intruder is a tool for automating customized attacks against web apps.

• http://www.openvas.org/ - The world's most advanced Open Source vulnerability scanner and manager.

• https://github.com/iSECPartners/Scout2 - Security auditing tool for AWS environments

• https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project - Is a multi threaded java application designed to brute force directories and files names on web/application servers.

• https://www.owasp.org/index.php/ZAP - The Zed Attack Proxy is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

• https://github.com/vigolium/vigolium - High-fidelity web & API vulnerability scanner fusing agentic AI with a fast native engine; 250+ detection modules covering the OWASP Top 10, authenticated IDOR/BOLA & out-of-band testing, and OpenAPI/Postman/Burp/cURL inputs. Open-source, AGPL-3.0.

• https://github.com/tecknicaltom/dsniff - dsniff is a collection of tools for network auditing and penetration testing.

• https://github.com/WangYihang/Webshell-Sniper - Manage your webshell via terminal.

• https://github.com/DanMcInerney/dnsspoof - DNS spoofer. Drops DNS responses from the router and replaces it with the spoofed DNS response

• https://github.com/trustedsec/social-engineer-toolkit - The Social-Engineer Toolkit (SET) repository from TrustedSec

• https://github.com/sqlmapproject/sqlmap - Automatic SQL injection and database takeover tool

• https://github.com/beefproject/beef - The Browser Exploitation Framework Project

• http://w3af.org/ - w3af is a Web Application Attack and Audit Framework

• https://github.com/espreto/wpsploit - WPSploit, Exploiting Wordpress With Metasploit

• https://vulert.com/ - Vulert secures software by detecting vulnerabilities in open-source dependencies—without accessing your code. It supports Js, PHP, Java, Python, and more.

• https://github.com/WangYihang/Reverse-Shell-Manager - Reverse shell manager via terminal.

• https://github.com/RUB-NDS/WS-Attacker - WS-Attacker is a modular framework for web services penetration testing

• https://github.com/wpscanteam/wpscan - WPScan is a black box WordPress vulnerability scanner

• http://sourceforge.net/projects/paros/ Paros proxy

• https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project Web Scarab proxy

• https://code.google.com/p/skipfish/ Skipfish, an active web application security reconnaissance tool

• http://www.acunetix.com/vulnerability-scanner/ Acunetix Web Vulnerability Scanner

• https://cystack.net/ CyStack Web Security Platform

• http://www-03.ibm.com/software/products/en/appscan IBM Security AppScan

• https://www.netsparker.com/web-vulnerability-scanner/ Netsparker web vulnerability scanner

• http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/index.html HP Web Inspect

• https://github.com/sensepost/wikto Wikto - Nikto for Windows with some extra features

• http://samurai.inguardians.com Samurai Web Testing Framework

• https://code.google.com/p/ratproxy/ Ratproxy

• http://www.websecurify.com Websecurify

• http://sourceforge.net/projects/grendel/ Grendel-scan

• https://tools.kali.org/web-applications/gobuster Directory/file and DNS busting tool written in Go

• http://www.edge-security.com/wfuzz.php Wfuzz

• http://wapiti.sourceforge.net wapiti

• https://github.com/neuroo/grabber Grabber

• https://subgraph.com/vega/ Vega

• http://websecuritytool.codeplex.com Watcher passive web scanner

• http://xss.codeplex.com x5s XSS and Unicode transformations security testing assistant

• http://www.beyondsecurity.com/avds AVDS Vulnerability Assessment and Management

• http://www.golismero.com Golismero

• http://www.ikare-monitoring.com IKare

• http://www.nstalker.com N-Stalker X

• https://www.rapid7.com/products/nexpose/index.jsp Nexpose

• http://www.rapid7.com/products/appspider/ App Spider

• http://www.milescan.com ParosPro

• https://www.qualys.com/enterprises/qualysguard/web-application-scanning/ Qualys Web Application Scanning

• http://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/ Retina

• https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Xenotix XSS Exploit Framework

• https://github.com/future-architect/vuls Vulnerability scanner for Linux, agentless, written in golang.

• https://github.com/rastating/wordpress-exploit-framework A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.

• http://www.xss-payloads.com/ XSS Payloads to leverage XSS vulnerabilities, build custom payloads, practice penetration testing skills.

• https://github.com/joaomatosf/jexboss JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool

• https://github.com/commixproject/commix Automated All-in-One OS command injection and exploitation tool

• https://github.com/pathetiq/BurpSmartBuster A Burp Suite content discovery plugin that add the smart into the Buster!

• https://github.com/GoSecure/csp-auditor Burp and ZAP plugin to analyze CSP headers

• https://github.com/ffleming/timing_attack Perform timing attacks against web applications

• https://github.com/lalithr95/fuzzapi Fuzzapi is a tool used for REST API pentesting

• https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)

• https://github.com/nccgroup/wssip Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.

• https://github.com/PalindromeLabs/STEWS Tool suite for WebSocket discovery, fingerprinting, and vulnerability detection

• https://github.com/tijme/angularjs-csti-scanner Automated client-side template injection (sandbox escape/bypass) detection for AngularJS (ACSTIS).

• https://reshift.softwaresecured.com A source code analysis tool for detecting and managing Java security vulnerabilities.

• https://encoding.tools Web app for transforming binary data and strings, including hashes and various encodings. GPLv3 offline version available.

• https://gchq.github.io/CyberChef/ A "Cyber Swiss Army Knife" for carrying out various encodings and transformations of binary data and strings.

• https://github.com/urbanadventurer/WhatWeb WhatWeb - Next generation web scanner

• https://www.shodan.io/ Shodan - The search engine for find vulnerable servers

• https://github.com/WangYihang/Webshell-Sniper A webshell manager via terminal

• https://github.com/nil0x42/phpsploit PhpSploit - Full-featured C2 framework which silently persists on webserver via evil PHP oneliner

• https://webhint.io/ - webhint - webhint is a customizable linting tool that helps you improve your site's accessibility, speed, cross-browser compatibility, and more by checking your code for best practices and common errors.

• https://gtfobins.github.io/ - gtfobins - GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.

• https://github.com/HightechSec/git-scanner git-scanner - A tool for bug hunting or pentesting for targeting websites that have open .git repositories available in public

• Web Application Exploitation @ Rawsec Inventory - Complete list of Web pentesting tools

• Cyclops is a novel browser that can detect vulnerability automatically - Cyclops is a web browser with XSS detection feature

• https://caido.io/ - Web proxy

• https://github.com/assetnote/kiterunner - API discovery

• https://github.com/owasp-amass/amass - domain recon

• https://columbus.elmasy.com/ - Columbus Project is an advanced subdomain discovery service with fast, powerful and easy to use API.

• BadUSB Script To Exfiltrate Passwords - Extracts all saved passwords from Chrome, Firefox, and Edge to be saved onto secondary USB for further analysis.

• https://github.com/flibustier/jwt-online-cracker - Brute-force HS256, HS384 or HS512 JWT Token from your browser (fully client-side).

• https://github.com/lukechilds/reverse-shell - Easy to remember reverse shell that should work on most Unix-like systems.

• https://github.com/momenbasel/keyFinder - Chrome extension that passively scans web pages for leaked API keys, tokens, and secrets using 80+ detection patterns and Shannon entropy across 10 attack surfaces.

• https://github.com/DenisPodgurskii/pentestkit - Browser-based vulnerability scanner for bug bounty and pentesting workflows, combining DAST, SAST, IAST, and SCA capabilities to detect runtime, source-level, interactive, and dependency-related security issues.

• SaaSFort - Free 60-second external NIS2 / security posture scan, A-F grade, no signup required.
• ARS3NAL - Offline-first, searchable arsenal: ~1500 payloads, command generator, GTFOBins, wordlists, embedded CyberChef, reverse shells and 70 checklists.

Cheat Sheets

• http://n0p.net/penguicon/php_app_sec/mirror/xss.html - XSS cheatsheet
• https://highon.coffee/blog/lfi-cheat-sheet/ - LFI Cheat Sheet
• https://highon.coffee/blog/reverse-shell-cheat-sheet/ - Reverse Shell Cheat Sheet
• https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/ - SQL Injection Cheat Sheet
• https://www.gracefulsecurity.com/path-traversal-cheat-sheet-windows/ - Path Traversal Cheat Sheet: Windows
• Pentest Mindmap - Interactive mindmap with 11,600+ pentesting commands across 32 categories. Searchable with one-click copy.

Docker images for Penetration Testing

• docker pull kalilinux/kali-linux-docker official Kali Linux
• docker pull blackarchlinux/blackarch official BlackArch Linux
• docker pull owasp/zap2docker-stable - official OWASP ZAP
• docker pull wpscanteam/wpscan - official WPScan
• docker pull metasploitframework/metasploit-framework - docker-metasploit
• docker pull citizenstig/dvwa - Damn Vulnerable Web Application (DVWA)
• docker pull bkimminich/juice-shop OWASP Juice Shop
• docker pull wpscanteam/vulnerablewordpress - Vulnerable WordPress Installation
• docker pull hmlio/vaas-cve-2014-6271 - Vulnerability as a service: Shellshock
• docker pull hmlio/vaas-cve-2014-0160 - Vulnerability as a service: Heartbleed
• docker pull opendns/security-ninjas - Security Ninjas
• docker pull noncetonic/archlinux-pentest-lxde:1.0 - Arch Linux Penetration Tester
• docker pull diogomonica/docker-bench-security - Docker Bench for Security
• docker pull ismisepaul/securityshepherd - OWASP Security Shepherd
• docker pull danmx/docker-owasp-webgoat - OWASP WebGoat Project docker image
• docker pull docker pull jeroenwillemsen/wrongsecrets - OWASP WrongSecrets Project docker image
• docker pull citizenstig/nowasp - OWASP Mutillidae II Web Pen-Test Practice Application
• docker pull aaaguirre/pentest - Docker for pentest
• docker pull rustscan/rustscan:2.0.0 - The Modern Port Scanner

Vulnerabilities

• http://cve.mitre.org/ - Common Vulnerabilities and Exposures. The Standard for Information Security Vulnerability Names
• https://www.exploit-db.com/ - The Exploit Database – ultimate archive of Exploits, Shellcode, and Security Papers.
• http://0day.today/ - Inj3ct0r is the ultimate database of exploits and vulnerabilities and a great resource for vulnerability researchers and security professionals.
• http://www.securityfocus.com/ - Since its inception in 1999, SecurityFocus has been a mainstay in the security community.
• http://packetstormsecurity.com/ - Global Security Resource
• https://wpvulndb.com/ - WPScan Vulnerability Database
• https://snyk.io/vuln/ - Vulnerability DB, Detailed information and remediation guidance for known vulnerabilities.
• https://stellastra.com/cipher-suite - Database of hundreds of TLS cipher suites and their security status.
• https://vulert.com/vuln-db - Vulert helps developers secure their software by monitoring and alerting them to vulnerabilities in open-source dependencies—without requiring access to their code. It supports dependencies from Js, PHP, Java, Python, and many more.
• https://vulncheck.com/xdb/ - An index of exploit proof-of-concept code in Git repositories.
• https://labs.jamessawyer.co.uk/cves/ - CVE PoC Search provides CVE-to-GitHub proof-of-concept lookup to quickly pivot from a web vulnerability to public exploit code.

Courses

• https://pwn.guide/ - Cybersecurity learning platform, with about 100 tutorials, approximately 25 of them are about web hacking & defending websites.
• https://www.offensive-security.com/information-security-training/advanced-web-attack-and-exploitation/ Offensive Security Advanced Web Attacks and Exploitation (live)
• https://www.sans.org/course/web-app-penetration-testing-ethical-hacking Sans SEC542: Web App Penetration Testing and Ethical Hacking
• https://www.sans.org/course/advanced-web-app-penetration-testing-ethical-hacking Sans SEC642: Advanced Web App Penetration Testing and Ethical Hacking
• http://opensecuritytraining.info/ - Open Security Training
• http://securitytrainings.net/security-trainings/ - Security Exploded Training
• http://www.securitytube.net/ - World’s largest Infosec and Hacking Portal.
• https://www.hacker101.com/ - Free class for web security by Hackerone
• https://www.darkrelay.com/courses/professional-penetration-tester - Zero-Hero style Pentesting course by DarkRelay Security Labs

Online Hacking Demonstration Sites

• http://testasp.vulnweb.com/ - Acunetix ASP test and demonstration site
• http://testaspnet.vulnweb.com/ - Acunetix ASP.Net test and demonstration site
• http://testphp.vulnweb.com/ - Acunetix PHP test and demonstration site
• http://crackme.cenzic.com/kelev/view/home.php - Crack Me Bank
• http://zero.webappsecurity.com/ - Zero Bank
• http://demo.testfire.net/ - Altoro Mutual
• https://public-firing-range.appspot.com/ - Firing Range is a test bed for automated web application security scanners.
• https://xss-game.appspot.com/ - XSS challenge
• https://google-gruyere.appspot.com/ Google Gruyere, web application exploits and defenses
• https://ginandjuice.shop/catalog
• https://pentest-ground.com/ Pentest-Ground is a free playground with deliberately vulnerable web applications and network services.
• HackSimulator is a GPT created by MarkCyber in which chatGPT 4 acts as a hacking CTF. This GPT will ask for your experience level and what you would like to improve on, before simulating a machine/application for you to hack into, using the chatbox as the place to input terminal commands. Since this is through AI, it changes and adjust based on your experience level and you can ask for help if you are stuck.

Labs

• https://portswigger.net/web-security - Web Security Academy: Free Online Training from PortSwigger
• http://www.cis.syr.edu/~wedu/seed/all_labs.html - Developing Instructional Laboratories for Computer SEcurity EDucation
• https://www.vulnhub.com/ - Virtual Machines for Localhost Penetration Testing.
• https://pentesterlab.com/ - PentesterLab is an easy and great way to learn penetration testing.
• https://codereviewlab.com/ - Code Review Lab is a hands-on code review training platform.
• https://github.com/jerryhoff/WebGoat.NET - This web application is a learning platform about common web security flaws.
• http://www.dvwa.co.uk/ - Damn Vulnerable Web Application (DVWA)
• http://sourceforge.net/projects/lampsecurity/ - LAMPSecurity Training
• https://github.com/Audi-1/sqli-labs - SQLI labs to test error based, Blind boolean based, Time based.
• https://github.com/paralax/lfi-labs - small set of PHP scripts to practice exploiting LFI, RFI and CMD injection vulns
• https://hack.me/ - Build, host and share vulnerable web apps in a sandboxed environment for free
• http://azcwr.org/az-cyber-warfare-ranges - Free live fire Capture the Flag, blue team, red team Cyber Warfare Range for beginners through advanced users. Must use a cell phone to send a text message requesting access to the range.
• https://github.com/adamdoupe/WackoPicko - WackoPicko is a vulnerable web application used to test web application vulnerability scanners.
• https://github.com/rapid7/hackazon - Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications.
• https://github.com/RhinoSecurityLabs/cloudgoat - Rhino Security Labs' "Vulnerable by Design" AWS infrastructure setup tool
• https://www.hackthebox.eu/ - Hack The Box is an online platform allowing you to test and advance your skills in cyber security.
• https://github.com/tegal1337/0l4bs - 0l4bs is a Cross-site scripting labs for web application security enthusiasts.
• https://github.com/oliverwiegers/pentest_lab - Local pentest lab leveraging docker compose.
• https://ginandjuice.shop/catalog
• https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
• https://labex.io/skilltrees/cybersecurity - LabEx is an online platform for enhancing your cyber security skills through hands-on labs.
• https://pythoncyber.go.ro - CyberPython helps you to make your own research in order to solve challenges, exploit CVEs and make good scripts.
• https://github.com/kOaDT/oss-oopssec-store - OSS – OopsSec Store: An intentionally vulnerable e-commerce application built with Next.js and React for web security training and CTF practice.
• https://github.com/momenbasel/htb-writeups - HTB Writeups: The most comprehensive Hack The Box writeup collection with 500+ machines, 400+ challenges, ProLabs, Sherlocks, CTF events, and cheatsheets.

SSL

• https://www.ssllabs.com/ssltest/index.html - This service performs a deep analysis of the configuration of any SSL web server on the public Internet.
• http://certdb.com/ - SSL/TLS data provider service. Collect the data about digital certificates - issuers, organisation, whois, expiration dates, etc... Plus, has handy filters for convenience.
• https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - Strong SSL Security on nginx
• https://weakdh.org/ - Weak Diffie-Hellman and the Logjam Attack
• https://letsencrypt.org/ - Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.
• https://filippo.io/Heartbleed/ - A checker (site and tool) for CVE-2014-0160 (Heartbleed).
• https://testssl.sh/ - A command line tool which checks a website's TLS/SSL ciphers, protocols and cryptographic flaws.
• Scorifya - 0–100 security score for any website covering TLS, security headers (CSP, HSTS, X-Frame-Options), cookies, DNS, and email signals (SPF, DKIM, DMARC) with ranked fix steps.

Security Ruby on Rails

• http://brakemanscanner.org/ - A static analysis security vulnerability scanner for Ruby on Rails applications.
• https://github.com/rubysec/ruby-advisory-db - A database of vulnerable Ruby Gems
• https://github.com/rubysec/bundler-audit - Patch-level verification for Bundler
• https://github.com/hakirisec/hakiri_toolbelt - Hakiri Toolbelt is a command line interface for the Hakiri platform.
• https://hakiri.io/facets - Scan Gemfile.lock for vulnerabilities.
• http://rails-sqli.org/ - This page lists many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not intended to be called with unsafe user input.
• https://github.com/0xsauby/yasuo - A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network