Skill

awesome-web-security

Looks up web security learning resources from a curated index: XSS, SQLi, CSRF, SSRF, OAuth/JWT, deserialization, SAML, recon, evasion, defensive tooling, CTF. Filters by topic, difficulty, language, and type.

security

npx claudepluginhub qazbnm456/awesome-web-security --plugin awesome-web-security

Configuration

When to use: XSS, SQL injection, CSRF, SSRF, XXE, OAuth, JWT, prototype pollution, deserialization, SAML, file upload, web cache poisoning, WAF evasion, CSP bypass, browser exploitation, subdomain enumeration, OSINT, web security, penetration testing references, bug bounty resources, CTF web challenges, payload list, security cheatsheet, awesome list, 资安, 渗透, 学习资源, 安全, 漏洞, セキュリティ, ペンテスト, 脆弱性

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Curated lookup over [qazbnm456/awesome-web-security](https://github.com/qazbnm456/awesome-web-security).

SKILL.md

Similar Skills

awesome-web-security

patt-fetcher

257

Fetches and extracts security testing payloads from PayloadsAllTheThings on demand. Supports SQLi, XSS, SSTI, SSRF, command injection, privilege escalation, and more.

communitytools

top-web-vulnerabilities

37.2k

References 100 critical web vulnerabilities by category with definitions, root causes, impacts, and mitigations. Useful for web security audits, testing, and remediation.

antigravity-awesome-skills

Stats

Stars13360

Forks1776

Last CommitMay 11, 2026

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

/awesome-web-security

Curated lookup over qazbnm456/awesome-web-security. Always fetches the latest index from raw.githubusercontent.com — no stale snapshot.

When to use

A user asks for resources, references, learning paths, or tools related to web security topics: XSS, SQLi, CSRF, SSRF, XXE, OAuth/JWT, prototype pollution, deserialization, SAML, file upload, web cache poisoning, WAF / CSP evasion, browser exploitation, recon (subdomain enumeration, OSINT), DNS rebinding, CTF write-ups, bug bounty methodology, defensive tooling, payload lists, cheatsheets, or related blogs.

When NOT to use

The user wants to attack a target they do not own and have not been authorized to test. Decline and ask for scope: own system, CTF, authorized pentest, academic research, or defensive analysis.
The user is asking for malware authoring, mass scanning of unowned infrastructure, or detection-evasion guidance for offensive purposes.
The question has no security framing — it's general programming or framework usage. Hand off to a non-security skill.

How

Fetch the index with WebFetch: https://raw.githubusercontent.com/qazbnm456/awesome-web-security/master/data/index.json

Parse the JSON. Schema:

{
  "schema_version": "1",
  "categories": [{"key": "xss", "title": "...", "h_level": 3, "parent": "intro", "anchor": "xss"}],
  "entries": [{
    "id": "xss-google-app-security",
    "url": "...",
    "title": "...",
    "author": {"name": "...", "url": "..."},
    "category": "xss",
    "type": "article|tool|cheatsheet|video|book|community|payload-list",
    "languages": ["en", "zh", "jp"],
    "difficulty": "intro|intermediate|advanced",
    "date_added": "YYYY-MM-DD",
    "archive_url": "...|null",
    "last_checked": "YYYY-MM-DD|null",
    "status": "active|dead|archived-only|quarantined"
  }]
}

Filter by:
- category matching the user's topic (a topic may map to several categories — for "XSS" check xss, tools-xss, tricks-xss, practices-xss, evasions-csp as relevant).
- languages: default to the user's language; fall back to en.
- difficulty: include all unless the user asked for "intro" or "deep".
- type: filter by what the user wants — articles, tools, cheatsheets, payload lists, etc.
Rank by:
- "Latest" requests → date_added DESC.
- "Deep dive" requests → prefer difficulty: advanced, then by depth signals (long titles, payload-list type, presence of author URL).
- "Tools" requests → type: tool only.
Return 5–7 entries; for each include title, URL, archive_url fallback if status != active, and a one-line value statement explaining what this entry teaches.

Safety guardrails

Refuse to assist with unauthorized targeting. Ask for scope.
Frame all results defensively / educationally.
For payload-list entries, append: "Test payloads only against systems you own or have written authorization to test."
Do not chain entries into an attack playbook against a named real target.

Output format

For each result:

Title — author • difficulty • type One line on what this teaches and why it matters. (Archive fallback: archive_url) — included only when status != active.

End with:

Cited from qazbnm456/awesome-web-security. Full list and categories at the README.

Failure handling

JSON fetch fails (network, 404, parse error) → respond: "The awesome-web-security index is temporarily unreachable. Try again shortly, or visit https://github.com/qazbnm456/awesome-web-security directly." Do NOT fabricate entries.
No matches in the requested category → say so explicitly. Offer adjacent categories from categories[].parent chain.

Examples

User: "I'm learning XSS, give me intermediate-level resources in English." → Filter category matching xss, tools-xss, tricks-xss, evasions-csp; languages contains en; difficulty in intermediate or advanced; rank by date_added DESC; return top 5–7.

User: "我想找最新的 SSRF 文章。" → Filter category matching ssrf, tricks-ssrf, tools-ssrf; languages contains zh; rank by date_added DESC; return in Chinese.

User: "What's a good XSS payload list?" → Filter category: xss AND type: payload-list; rank by depth signals. Append the unauthorized-testing reminder.