Uma lista de segurança de aplicativos web

Ir para o conteúdo

• Características
• O negócio
• Explorar
• Mercado
• Preços

Este repositório

Entre ou Inscreva-se

•  Assista76
•  Estrela952
•  Forquilha215

infoslack / awesome-web-hacking

Problemas decódigo2Solicitações de solicitação0Projetos0Insights  

Participe do GitHub hoje

O GitHub é o lar de mais de 20 milhões de desenvolvedores que trabalham juntos para hospedar e rever o código, gerenciar projetos e criar software juntos.

inscrever-se

Uma lista de segurança de aplicativos web

scanner devulnerabilidades deweb-hacking deteste de penetração

•  65 compromete-se
•  1 ramo
•  0 lançamentos
•  10 contribuintes

Clone ou baixe 

Achar arquivo

O último commit c64877a 18 days ago infoslack Merge puxa o pedido # 21 de WangYihang / patch-2 

README.md

Junte o pedido # 21 de WangYihang / patch-2

18 days ago

 README.md

incrível-hacking na web

Esta lista é para quem deseja aprender sobre a segurança das aplicações web, mas não tem um ponto de partida.

Você pode ajudar enviando solicitações de pull para adicionar mais informações.

Se você não está inclinado a fazer PRs, você pode me fazer um tweet @infoslack

Índice

• Livros
• Documentação
• Ferramentas
• Cheat Sheets
• Docker
• Vulnerabilidades
• Cursos
• Sites de Demonstração de Hacking Online
• Laboratórios
• SSL
• Segurança Ruby on Rails

Livros

• http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/8126533404/ O Web Application Hacker's Handbook: Encontrar e explorar falhas de segurança
• http://www.amazon.com/Hacking-Web-Apps-Preventing-Application/dp/159749951X/ Hacking Web Apps: Detecção e prevenção de problemas de segurança de aplicativos da Web
• http://www.amazon.com/Hacking-Exposed-Web-Applications-Third/dp/0071740643/ Hacking Exposed Web Applications
• http://www.amazon.com/SQL-Injection-Attacks-Defense-Second/dp/1597499633/ Ataques de Injeção SQL e Defesa
• http://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886/ The Tangled WEB: um guia para proteger aplicativos da Web modernos
• http://www.amazon.com/Web-Application-Obfuscation-Evasion-Filters/dp/1597496049/ Web Obfuscation: '- / WAFs..Evasion..Filters // alert (/ Obfuscation /) -'
• http://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/ Ataques XSS: Cross Site Scripting Exploits and Defense
• http://www.amazon.com/Browser-Hackers-Handbook-Wade-Alcorn/dp/1118662091/ O navegador Hacker's Handbook
• http://www.amazon.com/Basics-Web-Hacking-Techniques-Attack/dp/0124166008/ O básico do hacking na Web: ferramentas e técnicas para atacar a Web
• http://www.amazon.com/Web-Penetration-Testing-Kali-Linux/dp/1782163166/ Teste de Penetração na Web com o Kali Linux
• http://www.amazon.com/Web-Application-Security-Beginners-Guide/dp/0071776168/ Web Application Security, A Beginner's Guide
• https://www.crypto101.io/ - Crypto 101 é um curso introdutório sobre criptografia
• http://www.offensive-security.com/metasploit-unleashed/ - Metasploit Unleashed
• http://www.cl.cam.ac.uk/~rja14/book.html - Engenharia de segurança
• https://www.feistyduck.com/library/openssl-cookbook/ - OpenSSL Cookbook

Documentação

• https://www.owasp.org/ - Open Web Application Security Project
• http://www.pentest-standard.org/ - Teste de Penetração Padrão de Execução
• http://www.binary-auditing.com/ - Auditoria Binária do Dr. Thorsten Schneider

Ferramentas

• http://www.metasploit.com/ - O software de teste de penetração mais utilizado no mundo
• http://www.arachni-scanner.com/ - Web Application Security Scanner Framework
• https://github.com/sullo/nikto - Nikto web server scanner
• http://www.tenable.com/products/nessus-vulnerability-scanner - Nessus Vulnerability Scanner
• http://www.portswigger.net/burp/intruder.html - Burp Intruder é uma ferramenta para automatizar ataques personalizados contra aplicativos da web.
• http://www.openvas.org/ - O scanner e o gerenciador de vulnerabilidades Open Source mais avançados do mundo.
• https://github.com/iSECPartners/Scout2 - Ferramenta de auditoria de segurança para ambientes AWS
• https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project - É uma aplicação java multi-threaded projetada para diretórios de força bruta e nomes de arquivos em servidores de web / aplicativo.
• https://www.owasp.org/index.php/ZAP - O Zed Attack Proxy é uma ferramenta de teste de penetração integrada fácil de usar para encontrar vulnerabilidades em aplicativos da web.
• https://github.com/tecknicaltom/dsniff - dsniff é uma coleção de ferramentas para auditoria de rede e testes de penetração. * https://github.com/WangYihang/Webshell-Sniper - Gerencie seu webshell via terminal. * https://github.com/DanMcInerney/dnsspoof - spoofer DNS. Diminui as respostas de DNS do roteador e o substitui pela resposta de DNS falsificada
• https://github.com/trustedsec/social-engineer-toolkit - O repositório do Social-Engineer Toolkit (SET) do TrustedSec
• https://github.com/sqlmapproject/sqlmap - Injeção automática de SQL e ferramenta de aquisição de banco de dados
• https://github.com/beefproject/beef - O projeto da estrutura de exploração do navegador
• http://w3af.org/ - w3af é um quadro de ataque e auditoria de aplicativos da Web
• https://github.com/espreto/wpsploit - WPSploit, Exploiting Wordpress Com Metasploit * https://github.com/WangYihang/Reverse-Shell-Manager - Reverse shell manager via terminal. * https://github.com/RUB-NDS/WS-Attacker - WS-Attacker é uma estrutura modular para testes de penetração de serviços na web
• https://github.com/wpscanteam/wpscan - WPScan é um scanner de vulnerabilidades WordPress de caixa preta
• http://sourceforge.net/projects/paros/ Paros proxy
• https://www.owasp.org/index.php/Categoria:OWASP_WebScarab_Project Web scarab proxy
• https://code.google.com/p/skipfish/ Skipfish, uma ferramenta de reconhecimento de segurança de aplicativos web ativa
• http://www.acunetix.com/vulnerability-scanner/ Acunetix Web Vulnerability Scanner
• http://www-03.ibm.com/software/products/en/appscan IBM Security AppScan
• https://www.netsparker.com/web-vulnerability-scanner/ Netsparker web vulnerability scanner
• http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/index.html HP Web Inspect
• https://github.com/sensepost/wikto Wikto - Nikto para Windows com alguns recursos extras
• http://samurai.inguardians.com Samurai Web Testing Framework
• https://code.google.com/p/ratproxy/ Ratproxy
• http://www.websecurify.com Websecurify
• http://sourceforge.net/projects/grendel/ Grendel-scan
• https://www.owasp.org/index.php/Categoria:OWASP_DirBuster_Project DirBuster
• http://www.edge-security.com/wfuzz.php Wfuzz
• http://wapiti.sourceforge.net wapiti
• https://github.com/neuroo/grabber Grabber
• https://subgraph.com/vega/ Vega
• http://websecuritytool.codeplex.com Watcher scanner web passivo
• http://xss.codeplex.com x5s XSS e Unicode transformações assistente de testes de segurança
• http://www.beyondsecurity.com/avds AVDS Avaliação e gerenciamento de vulnerabilidades
• http://www.golismero.com Golismero
• http://www.ikare-monitoring.com IKare
• http://www.nstalker.com N-Stalker X
• https://www.rapid7.com/products/nexpose/index.jsp Nexpose
• http://www.rapid7.com/products/appspider/ App Spider
• http://www.milescan.com ParosPro
• https://www.qualys.com/enterprises/qualysguard/web-application-scanning/ Qualys Web Application Scanning
• http://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/ Retina
• https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Xenotix XSS Exploit Framework
• https://github.com/future-architect/vuls Vulnerability scanner para Linux, sem agente, escrito em Golang.
• https://github.com/rastating/wordpress-exploit-framework Um framework Ruby para desenvolver e usar módulos que ajudem no teste de penetração de sites e sistemas alimentados com WordPress.
• http://www.xss-payloads.com/ XSS Payloads para aproveitar vulnerabilidades do XSS, criar cargas úteis personalizadas, praticar habilidades de teste de penetração.
• https://github.com/joaomatosf/jexboss JBoss (e outras Vulnerabilidades de Deserialização de Java) verificar e Ferramenta de Exploração
• https://github.com/commixproject/commix Ferramenta de injeção e exploração de comando de sistema operacional automatizado All-in-One
• https://github.com/pathetiq/BurpSmartBuster Um plugin de descoberta de conteúdo Burp Suite que adiciona o inteligente ao Buster!
• https://github.com/GoSecure/csp-auditor Burp e ZAP plugin para analisar cabeçalhos CSP
• https://github.com/ffleming/timing_attack Execute ataques de temporização contra aplicativos da Web
• https://github.com/lalithr95/fuzzapi Fuzzapi é uma ferramenta usada para a API REST pentesting
• https://github.com/owtf/owtf Framework de teste da Web ofensiva (OWTF)
• https://github.com/nccgroup/wssip Aplicativo para capturar, modificar e enviar dados personalizados do WebSocket do cliente para o servidor e vice-versa.
• https://github.com/tijme/angularjs-scanner Detecção automatizada de injeção de modelo do lado do cliente (sandbox escape / bypass) para AngularJS (ACSTIS).

Cheat Sheets

• http://n0p.net/penguicon/php_app_sec/mirror/xss.html - XSS cheatsheet
• https://highon.coffee/blog/lfi-cheat-sheet/ - LFI Cheat Sheet
• https://highon.coffee/blog/reverse-shell-cheat-sheet/ - Reverse Shell Cheat Sheet
• https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/ - SQL Injection Cheat Sheet
• https://www.gracefulsecurity.com/path-traversal-cheat-sheet-windows/ - Path Traversal Cheat Sheet: Windows

Imagens do Docker para Testes de Penetração

• docker pull kalilinux/kali-linux-docker oficial Kali Linux
• docker pull owasp/zap2docker-stable- oficial OWASP ZAP
• docker pull wpscanteam/wpscan- WPScan oficial
• docker pull pandrew/metasploit- docker-metasploit
• docker pull citizenstig/dvwa- Maldito Aplicativo Web Vulnerável (DVWA)
• docker pull wpscanteam/vulnerablewordpress- Instalação de WordPress Vulnerável
• docker pull hmlio/vaas-cve-2014-6271- Vulnerabilidade como serviço: Shellshock
• docker pull hmlio/vaas-cve-2014-0160- Vulnerabilidade como serviço: Heartbleed
• docker pull opendns/security-ninjas- Ninjas de segurança
• docker pull usertaken/archlinux-pentest-lxde- Arch Linux Penetration Tester
• docker pull diogomonica/docker-bench-security- Banco Docker para a Segurança
• docker pull ismisepaul/securityshepherd- OWASP Security Shepherd
• docker pull danmx/docker-owasp-webgoat- OWASP WebGoat Project docker image
• docker pull citizenstig/nowasp- OWASP Mutillidae II Web Pen-Test Practice Application

Vulnerabilidades

• http://cve.mitre.org/ - Vulnerabilidades e exposições comuns. O Padrão para Nomes de Vulnerabilidade de Segurança da Informação
• https://www.exploit-db.com/ - The Exploit Database - arquivo final de Exploits, Shellcode e documentos de segurança.
• http://0day.today/ - Inj3ct0r is the ultimate database of exploits and vulnerabilities and a great resource for vulnerability researchers and security professionals.
• http://osvdb.org/ - OSVDB's goal is to provide accurate, detailed, current, and unbiased technical security information.
• http://www.securityfocus.com/ - Since its inception in 1999, SecurityFocus has been a mainstay in the security community.
• http://packetstormsecurity.com/ - Global Security Resource
• https://wpvulndb.com/ - WPScan Vulnerability Database

Courses

• https://www.elearnsecurity.com/course/web_application_penetration_testing/ eLearnSecurity Web Application Penetration Testing
• https://www.elearnsecurity.com/course/web_application_penetration_testing_extreme/ eLearnSecurity Web Application Penetration Testing eXtreme
• https://www.offensive-security.com/information-security-training/advanced-web-attack-and-exploitation/ Offensive Security Advanced Web Attacks and Exploitation (live)
• https://www.sans.org/course/web-app-penetration-testing-ethical-hacking Sans SEC542: Web App Penetration Testing and Ethical Hacking
• https://www.sans.org/course/advanced-web-app-penetration-testing-ethical-hacking Sans SEC642: Advanced Web App Penetration Testing and Ethical Hacking * http://opensecuritytraining.info/ - Open Security Training
• http://securitytrainings.net/security-trainings/ - Security Exploded Training
• http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/ - FSU - Offensive Computer Security
• http://www.cs.fsu.edu/~lawrence/OffNetSec/ - FSU - Offensive Network Security
• http://www.securitytube.net/ - World’s largest Infosec and Hacking Portal.

Online Hacking Demonstration Sites

• http://testasp.vulnweb.com/ - Acunetix ASP test and demonstration site
• http://testaspnet.vulnweb.com/ - Acunetix ASP.Net test and demonstration site
• http://testphp.vulnweb.com/ - Acunetix PHP test and demonstration site
• http://crackme.cenzic.com/kelev/view/home.php - Crack Me Bank
• http://zero.webappsecurity.com/ - Zero Bank
• http://demo.testfire.net/ - Altoro Mutual

Labs

• http://www.cis.syr.edu/~wedu/seed/all_labs.html - Developing Instructional Laboratories for Computer SEcurity EDucation
• https://www.vulnhub.com/ - Virtual Machines for Localhost Penetration Testing.
• https://pentesterlab.com/ - PentesterLab is an easy and great way to learn penetration testing.
• https://github.com/jerryhoff/WebGoat.NET - This web application is a learning platform about common web security flaws.
• http://www.dvwa.co.uk/ - Damn Vulnerable Web Application (DVWA)
• http://sourceforge.net/projects/lampsecurity/ - LAMPSecurity Training
• https://github.com/Audi-1/sqli-labs - SQLI labs to test error based, Blind boolean based, Time based.
• https://github.com/paralax/lfi-labs - small set of PHP scripts to practice exploiting LFI, RFI and CMD injection vulns
• https://hack.me/ - Build, host and share vulnerable web apps in a sandboxed environment for free
• http://azcwr.org/az-cyber-warfare-ranges - Free live fire Capture the Flag, blue team, red team Cyber Warfare Range for beginners through advanced users. Must use a cell phone to send a text message requesting access to the range.
• https://github.com/adamdoupe/WackoPicko - WackoPicko is a vulnerable web application used to test web application vulnerability scanners.
• https://github.com/rapid7/hackazon - Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications.

SSL

• https://www.ssllabs.com/ssltest/index.html - This service performs a deep analysis of the configuration of any SSL web server on the public Internet.
• https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - Strong SSL Security on nginx
• https://weakdh.org/ - Weak Diffie-Hellman and the Logjam Attack
• https://letsencrypt.org/ - Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.
• https://filippo.io/Heartbleed/ - A checker (site and tool) for CVE-2014-0160 (Heartbleed).

Security Ruby on Rails

• http://brakemanscanner.org/ - A static analysis security vulnerability scanner for Ruby on Rails applications.
• https://github.com/rubysec/ruby-advisory-db - A database of vulnerable Ruby Gems
• https://github.com/rubysec/bundler-audit - Patch-level verification for Bundler
• https://github.com/hakirisec/hakiri_toolbelt - Hakiri Toolbelt is a command line interface for the Hakiri platform.
• https://hakiri.io/facets - Scan Gemfile.lock for vulnerabilities.
• http://rails-sqli.org/ - This page lists many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not intended to be called with unsafe user input.
• https://github.com/0xsauby/yasuo - Um script ruby ​​que procura por aplicativos Web vulneráveis ​​e vulneráveis ​​em uma rede

• © 2017 GitHub , Inc.
• Termos
• Privacidade
• Segurança
• Status
• Socorro

• Entre em contato com GitHub
• API
• Treinamento
• fazer compras
• Blog
• Sobre