Links to online resources & tools we use during our web application / network security courses.
You can create a PR or open an issue if you think we missed a useful resource.
Short URL: https://git.io/secres
- Compass Security: https://compass-security.com/de/
- Compass Security Blog: https://blog.compass-security.com/
- Hacking Lab 1.0: https://www.hacking-lab.com/
- Hacking Lab 2.0: https://compass.hacking-lab.com/
- Hacking Lab Live CD: https://livecd.hacking-lab.com/
- Awesome Security: https://github.com/sbilly/awesome-security
- Payload All The Things: https://github.com/swisskyrepo/PayloadsAllTheThings
- HackTricks: https://book.hacktricks.xyz/
- InfoSec Reference That Doesn't Suck!(Much): https://rmusser.net/docs/index.html
- Awesome Penetration Testing: https://github.com/enaqx/awesome-pentest
- Various Security Tutorials by Prof. Andreas Steffen, strongSec GmbH: https://github.com/strongX509/cyber/
- CyberChef: https://gchq.github.io/CyberChef/
- Useful Web Tools by @h43z: https://h.43z.one/
- Explain Shell Commands: https://explainshell.com/
- Online Regex Tester & Debugger: https://regex101.com/
- Phrack: http://phrack.org/
- PoC||GTFO: https://www.alchemistowl.org/pocorgtfo/
- media.ccc.de: https://media.ccc.de/
- LiveOverflow: https://www.youtube.com/c/LiveOverflowCTF/
- Stacksmashing: https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw
- IppSec (Hack The Box Walkthroughs): https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
- /dev/null: https://www.youtube.com/channel/UCGISJ8ZHkmIv1CaoHovK-Xw
- DEFCON Switzerland / Area41: https://www.youtube.com/user/defconswitzerland/
- Swiss Cyber Storm: https://www.youtube.com/channel/UCY-Wb3JuBv_xpa8s6ZrpUxg/
- Cooper Recordings: https://administraitor.video/
- DEFCON: https://www.youtube.com/user/DEFCONConference/
- Black Hat: https://www.youtube.com/user/BlackHatOfficialYT
- HTML Standard: https://html.spec.whatwg.org/
- W3Schools: https://www.w3schools.com/
- Mozilla Developer Network (MDN): https://developer.mozilla.org/
- Compass Demo: https://www.compass-demo.com/
- PortSwigger Online Seminar: https://portswigger.net/web-security
- OWASP: https://owasp.org/
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- OWASP Application Security Verification Standard (ASVS): https://owasp.org/www-project-application-security-verification-standard/
- Stanford Web Security Class: https://web.stanford.edu/class/cs253/
- HTTP Status Codes: https://httpstatuses.com/
- Can I Use (Browser Support Matrix): https://caniuse.com/
- Mozilla Developer Network: https://developer.mozilla.org/
- W3C Overview: https://www.w3.org/TR/
- CORS: https://www.w3.org/TR/2020/SPSD-cors-20200602/
- HTTP/2 Explained: https://http2-explained.haxx.se/
- HTTP/3 Explained: https://http3-explained.haxx.se/
- HTTP/2 Speed Demo: https://http2.akamai.com/demo
- Have I Been Pwned (Password Leaks): https://haveibeenpwned.com/
- Pwned Passwords: https://haveibeenpwned.com/Passwords
- Dehashed Leaked Passwords Database: https://www.dehashed.com/
- Hashes.org (Password Hash Database): https://hashes.org/
- OAuth.net: https://oauth.net/2/
- OAuth 2.0 Simplified: https://www.oauth.com/
- The OAuth 2.0 Authorization Framework, RFC 6749: https://tools.ietf.org/html/rfc6749
- OAuth 2.0 Security Best Current Practice: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16
- OpenID Connect & OAuth 2.0 - Security Best Practices, Dominick Baier, 2020: https://www.youtube.com/watch?v=AUgZffkurK0
- OAuth 2.0 for Browser-Based Apps: https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07
- OIDC Discovery: https://auth0.com/docs/protocols/configure-applications-with-oidc-discovery)
- PortSwigger XSS Cheat Sheet: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
- XSS Payloads: https://html5sec.org/
- XSS Hunter: https://xsshunter.com/
- Script Gadgets: https://github.com/google/security-research-pocs (bypass overview: https://github.com/google/security-research-pocs/blob/master/script-gadgets/bypasses.md)
- Browser Exploitation Framework (BeEF): https://beefproject.com/
- Attack Examples
- XSS in Electron App leads to RCE: https://blog.doyensec.com/2017/08/03/electron-framework-security.html
- XSS in Google Search Field: https://www.youtube.com/watch?v=lG7U3fuNw3A
- XSS in Tweetdeck Twitter Client: https://twitter.com/dergeruhn/status/476764918763749376?lang=en
- Same-Site Cookie Flag: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-06
- Public Suffix List (https://publicsuffix.org): https://publicsuffix.org/list/public_suffix_list.dat
- Security Headers: https://securityheaders.com/
- Content Security Policy (CSP) Evaluator: https://csp-evaluator.withgoogle.com/ (Code: https://github.com/google/csp-evaluator)
- JWT Decoder/Encoder: https://jwt.io/
- PentesterLab JWT Cheat Sheet: https://assets.pentesterlab.com/jwt_security_cheatsheet/jwt_security_cheatsheet.pdf
- Convert JWK to PEM:
- Crypto Playground: https://8gwifi.org/jwkconvertfunctions.jsp
- Keytool: https://keytool.online/
- Attack Examples
- Algorithm Confusion
- Auth0 Info: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
- pyjwt CVE-2017-11424: https://www.cvedetails.com/cve/CVE-2017-11424/
- pyjwt fix: https://github.com/jpadilla/pyjwt/commit/88a9fc56bdc6c870aa6af93bda401414a217db2a, https://github.com/jpadilla/pyjwt/commit/37926ea0dd207db070b45473438853447e4c1392
- Algorithm Confusion
- PortSwigger SQL Injection Cheat Sheet: https://portswigger.net/web-security/sql-injection/cheat-sheet
- Attack Examples
- Sending mails via SMTP using XXE: https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/
- Burp Suite: https://portswigger.net/burp/communitydownload
- sqlmap: http://sqlmap.org/
- Burp Suite Extensions
- Talk "Automated security testing for Software Developers who dont know security!" (shows how to use OWASP ZAP in a CI/CD pipeline): https://media.ccc.de/v/Camp2019-10181-automated_security_testing_for_software_developers_who_dont_know_security
- OWASP Web Goat: https://owasp.org/www-project-webgoat/
- Damn Vulnerable Web Application: http://www.dvwa.co.uk/
- OWASP JuiceShop: https://owasp.org/www-project-juice-shop/
- SSL/TLS and PKI History: https://www.feistyduck.com/ssl-tls-and-pki-history/
- Every Byte of a TLS Connection: https://tls.ulfheim.net/
- Every Byte of a TLS Connection for TLS 1.3: https://tls13.ulfheim.net/
- SSL Labs (TLS Server Test): https://ssllabs.com
- Hardenize: https://hardenize.com/
- BadSSL: Weak TLS Configuration Test Page: https://badssl.com
- Certificate Transparency Search: https://crt.sh/
- SSLyze TLS Server Test Tool: https://github.com/nabla-c0d3/sslyze
- Key Lengths: https://keylength.com
- Cryptopals Crypto Challenges: https://cryptopals.com/
- CryptoHack: https://cryptohack.org/
- Key generation / conversion: https://keytool.online/
- contained.af (separation examples): https://contained.af/
- Hacking Tools Cheat Sheet: https://github.com/CompassSecurity/Hacking_Tools_Cheat_Sheet
- Amass: https://github.com/OWASP/Amass
- Sublist3r: https://github.com/aboul3la/Sublist3r
- Shodan: https://www.shodan.io/
- Censys: https://censys.io/
- Payload All The Things: https://github.com/swisskyrepo/PayloadsAllTheThings
- VirusTotal: https://www.virustotal.com/
- FuzzDB: https://github.com/fuzzdb-project/fuzzdb
- SecLists: https://github.com/danielmiessler/SecLists
- Rapid7 Open Data: https://opendata.rapid7.com/
- PortQuiz: http://portquiz.net/
- xip.io (wildcard DNS): http://xip.io/
- nip.io (wildcard DNS): https://nip.io/
- RequestBin.NET: http://requestbin.net/
- Various useful tools: https://h.43z.one/
- Request Logger: http://log.43z.one/
- IP Address Convertor (useful for SSRF): https://h.43z.one/ipconverter/
- Nmap: https://nmap.org/
- Nmap-parse-output: https://github.com/ernw/nmap-parse-output
- Aquatone: https://github.com/michenriksen/aquatone
- SMBMap: https://github.com/ShawnDEvans/smbmap
- Snaffler: https://github.com/SnaffCon/Snaffler
- Subjack: https://github.com/haccer/subjack
- Sniffing Tools
- tcpdump: https://www.tcpdump.org/
- Wireshark / Tshark: https://www.wireshark.org/
- PCAP Collection
- Wireshark Samle Captures: https://wiki.wireshark.org/SampleCaptures
- Sniffing Analysis
- PacketTotal: https://packettotal.com/
- A-Packets: https://apackets.com/
- Extract credentials from network interfaces / PCAP files
- net-creds: https://github.com/DanMcInerney/net-creds
- PCredz: https://github.com/lgandx/PCredz
- DNSViz (show DNSSEC chain): https://dnsviz.net/
- Public .ch DNS Zone: https://www.switch.ch/open-data/#tab-c5442a19-67cf-11e8-9cf6-5254009dc73c-3
- Search Tool: https://search-ch-domains.idocker.hacking-lab.com/
- Metasploit: https://www.metasploit.com/
- Vulnerability Database: https://cvedetails.com/
- Exploit Database: https://www.exploit-db.com/
- Hak5 Gadget Shop: https://shop.hak5.org/
- Covenant: https://github.com/cobbr/Covenant
- Ncrack: https://nmap.org/ncrack/
- Hydra: https://github.com/vanhauser-thc/thc-hydra
- Hashcat: https://hashcat.net/hashcat/
- John The Ripper: https://www.openwall.com/john/
- Talk "G1234! - Password Cracking 201: Beyond the Basics - Royce Williams": https://www.youtube.com/watch?v=cSOjQI0qbuU
- Enumeration
- LinEnum: https://github.com/rebootuser/LinEnum
- linPEAS: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
- pspy (unprivileged Linux process snooping): https://github.com/DominicBreuker/pspy
- Glyptodon (search for suspicious files): https://blog.sevagas.com/?-Glyptodon
- Lynis: https://cisofy.com/lynis/
- Privilege Escalation Methods
- Sudo privesc on Compass Blog: https://blog.compass-security.com/tag/sudo/
- HackTricks Linux Privilege Escalation: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist and https://book.hacktricks.xyz/linux-unix/privilege-escalation
- PayloadsAllTheThings Linux Privilege Escalation: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
- Back To The Future: Unix Wildcards Gone Wild (Wildcard Injection): https://www.exploit-db.com/papers/33930
- Exploitation Tools
- LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester
- GTFOBins: https://gtfobins.github.io/
- GTFOBLookup: https://github.com/nccgroup/GTFOBLookup
- Hardening
- Distribution Independent Linux CIS Benchmark: https://www.cisecurity.org/benchmark/distribution_independent_linux/
- Sysinternals: https://docs.microsoft.com/en-us/sysinternals/#sysinternals-live
- Sysinternals Direct Download: https://live.sysinternals.com/
- PowerSploit: https://github.com/PowerShellMafia/PowerSploit
- PowerUpSQL: https://github.com/NetSPI/PowerUpSQL
- Mimikatz: https://github.com/gentilkiwi/mimikatz
- Impacket: https://github.com/SecureAuthCorp/impacket
- Responder: https://github.com/lgandx/Responder
- CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec
- CredNinja: https://github.com/Raikia/CredNinja
- BloodHound: https://github.com/BloodHoundAD/BloodHound
- The Dog Whisperer's Handbook: https://www.ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf
- Compass Custom BloodHound Queries: https://github.com/CompassSecurity/BloodHoundQueries
- PingCastle: https://www.pingcastle.com/
- Kerbrute: https://github.com/ropnop/kerbrute
- Hack-the-Box: https://www.hackthebox.eu/
- Metasploitable: https://sourceforge.net/projects/metasploitable/
- Root Me: https://www.root-me.org
- VulnHub: https://www.vulnhub.com/
- Homograph Attacks: https://dev.to/logan/homographs-attack--5a1p
- Tool: https://github.com/evilsocket/ditto
- Example: https://ΡΠ°ΡΡΠ°Σ.com/
- Frida Hooking Framework: https://frida.re/
- Frida Hooks Collection: https://codeshare.frida.re/
- objection - Runtime Mobile Exploration: https://github.com/sensepost/objection
- F-Secure Android Keystore Audit