awesome-web-security

Awesome Web Security

🌎

🐶 Curated list of Web Security materials and resources.

Needless to say, most websites suffer from various types of bugs which may eventually lead to vulnerabilities. Why would this happen so often? There can be many factors involved including misconfiguration, shortage of engineers' security skills, etc. To combat this, here is a curated list of Web Security materials and resources for learning cutting edge penetration techniques, and I highly encourage you to read this article 🌎 So you want to be a web security researcher?" first.

Please read the contribution guidelines before contributing.

🌈 Want to strengthen your penetration skills?
I would recommend playing some awesome-ctfs.

If you enjoy this awesome list and would like to support it, check out my 🌎 Patreon page :)
Also, don't forget to check out my repos 🐾 or say hi on 🌎 X (formerly Twitter)!

🤖 Using an AI assistant?

This list also ships as a Claude Code Skill so AI agents can query it at runtime — no stale snapshot, always reads the latest data/index.json from master.

Install (one-liner, recommended):

npx skills add qazbnm456/awesome-web-security -a claude-code -g -y

Or inside 🌎 Claude Code, use the plugin marketplace:

/plugin marketplace add qazbnm456/awesome-web-security
/plugin install awesome-web-security

For  81987⭐  11841🍴 Codex), swap -a claude-code → -a codex.

Then ask any web-security question and the skill activates on topics like XSS, SQLi, SSRF, JWT, OAuth, recon, WAF evasion, deserialization, SAML, CTF write-ups, and more. See skills/awesome-web-security/SKILL.md for the full trigger list.

Contents

• Digests
• Forums
• Introduction
  • XSS
  • Prototype Pollution
  • CSV Injection
  • SQL Injection
  • Command Injection
  • ORM Injection
  • FTP Injection
  • XXE
  • CSRF
  • Clickjacking
  • SSRF
  • Web Cache Poisoning
  • Relative Path Overwrite
  • Open Redirect
  • SAML
  • Upload
  • Rails
  • AngularJS
  • ReactJS
  • SSL/TLS
  • Webmail
  • NFS
  • AWS
  • Azure
  • Fingerprint
  • Sub Domain Enumeration
  • Crypto
  • Web Shell
  • OSINT
  • DNS Rebinding
  • Deserialization
  • OAuth
  • JWT
• Evasions
  • XXE
  • CSP
  • WAF
  • JSMVC
  • Authentication
• Tricks
  • CSRF
  • Clickjacking
  • Remote Code Execution
  • XSS
  • SQL Injection
  • NoSQL Injection
  • FTP Injection
  • XXE
  • SSRF
  • Web Cache Poisoning
  • Header Injection
  • URL
  • Deserialization
  • OAuth
  • Others
• Browser Exploitation
• PoCs
  • Database
• Cheetsheets
• Tools
  • Auditing
  • Command Injection
  • Reconnaissance
    • OSINT
    • Sub Domain Enumeration
  • Code Generating
  • Fuzzing
  • Scanning
  • Penetration Testing
  • Offensive
    • XSS
    • SQL Injection
    • Template Injection
    • XXE