Awesome Web Security – The Ultimate Guide To Mastering Techniques, Tools, And Resources

Needless to say, most websites suffer from various types of bugs which may eventually lead to vulnerabilities.

Why would this happen so often? There can be many factors involved including misconfiguration, shortage of engineers’ security skills, etc.

To combat this, here is a curated list of Web Security materials and resources for learning cutting edge penetration techniques, and I highly encourage you to read this article “So you want to be a web security researcher?” first.

Please read the contribution guidelines before contributing.

If you enjoy this awesome list and would like to support it, check out my Patreon page 🙂
Also, don’t forget to check out my repos or say hi on my Twitter!

Digests
Forums
Introduction
- XSS
- Prototype Pollution
- CSV Injection
- SQL Injection
- Command Injection
- ORM Injection
- FTP Injection
- XXE
- CSRF
- Clickjacking
- SSRF
- Web Cache Poisoning
- Relative Path Overwrite
- Open Redirect
- SAML
- Upload
- Rails
- AngularJS
- ReactJS
- SSL/TLS
- Webmail
- NFS
- AWS
- Azure
- Fingerprint
- Sub Domain Enumeration
- Crypto
- Web Shell
- OSINT
- DNS Rebinding
- Deserialization
- OAuth
- JWT
Evasions
- XXE
- CSP
- WAF
- JSMVC
- Authentication
Tricks
- CSRF
- Clickjacking
- Remote Code Execution
- XSS
- SQL Injection
- NoSQL Injection
- FTP Injection
- XXE
- SSRF
- Web Cache Poisoning
- Header Injection
- URL
- Deserialization
- OAuth
- Others
Browser Exploitation
PoCs
- Database
Cheetsheets
Tools
- Auditing
- Command Injection
- Reconnaissance
  - OSINT
  - Sub Domain Enumeration
- Code Generating
- Fuzzing
- Scanning
- Penetration Testing
- Leaking
- Offensive
  - XSS
  - SQL Injection
  - Template Injection
  - XXE
  - CSRF
  - SSRF
- Detecting
- Preventing
- Proxy
- Webshell
- Disassembler
- Decompiler
- DNS Rebinding
- Others
Social Engineering Database
Blogs
Twitter Users
Practices
- Application
- AWS
- XSS
- ModSecurity / OWASP ModSecurity Core Rule Set
Community
Miscellaneous

Digests

Hacker101 – Written by hackerone.
The Daily Swig – Web security digest – Written by PortSwigger.
Web Application Security Zone by Netsparker – Written by Netsparker.
Infosec Newbie – Written by Mark Robinson.
The Magic of Learning – Written by @bitvijays.
CTF Field Guide – Written by Trail of Bits.
PayloadsAllTheThings – Written by @swisskyrepo.
tl;dr sec – Weekly summary of top security tools, blog posts, and security research.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.