Appsec
Explore 106 curated tools and resources
Search by name, description, or purpose... (⌘+K)
PINNED
Promoted • 6 toolsCommercial
Data Protection
Commercial
Network Security
Commercial
Consulting
Commercial
Application Security
Commercial
Cloud Security
Commercial
Application Security
Want your tool featured here?
Get maximum visibility with pinned placement
LATEST ADDITIONS
A professional web application security testing service that performs comprehensive black-box security assessments covering OWASP Top 10 vulnerabilities with manual validation and detailed reporting.
A professional web application security testing service that performs comprehensive black-box security assessments covering OWASP Top 10 vulnerabilities with manual validation and detailed reporting.
A comprehensive application security platform combining specialized services and software tools to help organizations manage vulnerabilities throughout the software development lifecycle.
A comprehensive application security platform combining specialized services and software tools to help organizations manage vulnerabilities throughout the software development lifecycle.
An AI-powered API security testing platform that performs continuous vulnerability assessment, attack surface mapping, and compliance monitoring of API endpoints.
An AI-powered API security testing platform that performs continuous vulnerability assessment, attack surface mapping, and compliance monitoring of API endpoints.
An automated API security testing platform that provides continuous vulnerability assessment, validation, and educational resources for API endpoint security.
An automated API security testing platform that provides continuous vulnerability assessment, validation, and educational resources for API endpoint security.
ImmuniWeb MobileSuite is a mobile application penetration testing platform that combines AI-powered automation with manual security testing to assess mobile apps and their backend infrastructure for security vulnerabilities and compliance requirements.
ImmuniWeb MobileSuite is a mobile application penetration testing platform that combines AI-powered automation with manual security testing to assess mobile apps and their backend infrastructure for security vulnerabilities and compliance requirements.
A centralized application security posture management platform that integrates security tools, automates workflows, and provides visibility into application security risks.
A centralized application security posture management platform that integrates security tools, automates workflows, and provides visibility into application security risks.
An Application Security Posture Management platform that helps organizations integrate security throughout the software development lifecycle with a focus on vulnerability management and secure coding practices.
An Application Security Posture Management platform that helps organizations integrate security throughout the software development lifecycle with a focus on vulnerability management and secure coding practices.
Security design review automation tool that scans design documents and provides security requirements to development teams during the planning phase.
Security design review automation tool that scans design documents and provides security requirements to development teams during the planning phase.
An API security platform that discovers, documents, and tests APIs throughout the development lifecycle while maintaining a centralized catalog of all API assets.
An API security platform that discovers, documents, and tests APIs throughout the development lifecycle while maintaining a centralized catalog of all API assets.
EvoMaster is an AI-driven tool that automatically generates system-level test cases for web APIs and enterprise applications using evolutionary algorithms and dynamic program analysis.
EvoMaster is an AI-driven tool that automatically generates system-level test cases for web APIs and enterprise applications using evolutionary algorithms and dynamic program analysis.
API Security is a comprehensive solution that provides continuous discovery, vulnerability assessment, threat detection, compliance monitoring, dynamic testing, and remediation capabilities to protect APIs against various threats and vulnerabilities.
API Security is a comprehensive solution that provides continuous discovery, vulnerability assessment, threat detection, compliance monitoring, dynamic testing, and remediation capabilities to protect APIs against various threats and vulnerabilities.
Snyk Code is a real-time SAST tool that provides secure code analysis and actionable remediation advice to prevent code delays and ensure secure development.
Snyk Code is a real-time SAST tool that provides secure code analysis and actionable remediation advice to prevent code delays and ensure secure development.
The Contrast Runtime Security Platform is a suite of application security tools that integrates security into the software development lifecycle and production environments, including IAST, SAST, RASP, and SCA capabilities.
The Contrast Runtime Security Platform is a suite of application security tools that integrates security into the software development lifecycle and production environments, including IAST, SAST, RASP, and SCA capabilities.
Checkmarx One SAST is a static application security testing tool that combines speed and security to improve developer experience.
Checkmarx One SAST is a static application security testing tool that combines speed and security to improve developer experience.
Veracode is an intelligent software security platform that helps developers and security teams secure code, find and fix flaws, and automate remediation.
Veracode is an intelligent software security platform that helps developers and security teams secure code, find and fix flaws, and automate remediation.
A hosted web application security testing tool that enables security researchers to register, activate their accounts, and scan web applications for vulnerabilities.
A hosted web application security testing tool that enables security researchers to register, activate their accounts, and scan web applications for vulnerabilities.
VIDOC is an AI-powered security tool that automates code review, detects and fixes vulnerabilities, and monitors external security, ensuring the integrity of both human-written and AI-generated code in software development pipelines.
VIDOC is an AI-powered security tool that automates code review, detects and fixes vulnerabilities, and monitors external security, ensuring the integrity of both human-written and AI-generated code in software development pipelines.
LinksDumper extracts links and endpoints from HTTP responses to support web application security testing and reconnaissance activities.
LinksDumper extracts links and endpoints from HTTP responses to support web application security testing and reconnaissance activities.
Jaeles is an automated web application testing tool that helps identify vulnerabilities and security issues through customizable testing scenarios.
Jaeles is an automated web application testing tool that helps identify vulnerabilities and security issues through customizable testing scenarios.
A command-line tool that identifies and extracts parameters from HTTP requests and responses to assist with web application security testing and vulnerability assessment.
A command-line tool that identifies and extracts parameters from HTTP requests and responses to assist with web application security testing and vulnerability assessment.
A Burp Suite extension that automates XSS vulnerability detection and validation through custom payload generation and response analysis.
A Burp Suite extension that automates XSS vulnerability detection and validation through custom payload generation and response analysis.
A security analysis tool that detects and analyzes open redirection vulnerabilities in web applications.
A security analysis tool that detects and analyzes open redirection vulnerabilities in web applications.
A Burp Suite extension that detects NGINX alias traversal vulnerabilities by analyzing HTTP traffic patterns to identify path traversal misconfigurations.
A Burp Suite extension that detects NGINX alias traversal vulnerabilities by analyzing HTTP traffic patterns to identify path traversal misconfigurations.
SSTImap is an automated detection tool that identifies Server-Side Template Injection vulnerabilities in web applications through systematic testing and analysis.
SSTImap is an automated detection tool that identifies Server-Side Template Injection vulnerabilities in web applications through systematic testing and analysis.
A company that helps organizations create security-aware teams and produce bug-free software.
A company that helps organizations create security-aware teams and produce bug-free software.
Deliberately vulnerable web application for security professionals to practice attack techniques.
Deliberately vulnerable web application for security professionals to practice attack techniques.
x8 is a hidden parameters discovery suite that automatically identifies undocumented parameters in web applications and APIs for security testing purposes.
x8 is a hidden parameters discovery suite that automatically identifies undocumented parameters in web applications and APIs for security testing purposes.
Dynamic application security testing tool for identifying and fixing web application vulnerabilities.
Dynamic application security testing tool for identifying and fixing web application vulnerabilities.
InsecureShop is an intentionally vulnerable Android application built in Kotlin for educating developers and security professionals about mobile app vulnerabilities and penetration testing techniques.
InsecureShop is an intentionally vulnerable Android application built in Kotlin for educating developers and security professionals about mobile app vulnerabilities and penetration testing techniques.
CorsMe is a specialized scanner that identifies Cross-Origin Resource Sharing (CORS) misconfigurations in web applications and provides remediation recommendations.
CorsMe is a specialized scanner that identifies Cross-Origin Resource Sharing (CORS) misconfigurations in web applications and provides remediation recommendations.
A collection of Android Fakebank and Tizi samples for analyzing spyware on Android devices.
A collection of Android Fakebank and Tizi samples for analyzing spyware on Android devices.
A deep dive into the Ledger connect-kit compromise decryption process.
A deep dive into the Ledger connect-kit compromise decryption process.
Bastille-Linux is a system hardening program that proactively configures the system for increased security and educates users about security settings.
Bastille-Linux is a system hardening program that proactively configures the system for increased security and educates users about security settings.
The best security training environment for Developers and AppSec Professionals.
The best security training environment for Developers and AppSec Professionals.
A deliberately vulnerable Android application containing multiple security flaws designed for educational purposes and security training.
A deliberately vulnerable Android application containing multiple security flaws designed for educational purposes and security training.
NodeSecure is a cybersecurity project that provides security monitoring and analysis capabilities specifically designed for Node.js applications.
NodeSecure is a cybersecurity project that provides security monitoring and analysis capabilities specifically designed for Node.js applications.
Bearer CLI is a static application security testing tool that scans source code across multiple programming languages to identify and prioritize OWASP Top 10 and CWE Top 25 security vulnerabilities through data flow analysis.
Bearer CLI is a static application security testing tool that scans source code across multiple programming languages to identify and prioritize OWASP Top 10 and CWE Top 25 security vulnerabilities through data flow analysis.
A technology-focused blog discussing innovations in painting and the importance of expert painters.
A technology-focused blog discussing innovations in painting and the importance of expert painters.
App-Ray offers comprehensive security analysis and compliance solutions for mobile applications.
App-Ray offers comprehensive security analysis and compliance solutions for mobile applications.
MCIR is a unified framework for building code injection vulnerability testbeds that combines SQL, XML, shell, and XSS injection testing tools with shared functionality and template-based extensibility.
MCIR is a unified framework for building code injection vulnerability testbeds that combines SQL, XML, shell, and XSS injection testing tools with shared functionality and template-based extensibility.
A security tool that detects potential Dependency Confusion attack vectors by identifying private package names that are not reserved on public registries.
A security tool that detects potential Dependency Confusion attack vectors by identifying private package names that are not reserved on public registries.
The OWASP AppSec Europe '16 Conference is a leading gathering in web application security, featuring keynote speakers and in-depth trainings in application security topics.
The OWASP AppSec Europe '16 Conference is a leading gathering in web application security, featuring keynote speakers and in-depth trainings in application security topics.
A security checklist based on OWASP standards that provides comprehensive guidelines for designing, testing, and releasing secure Android applications.
A security checklist based on OWASP standards that provides comprehensive guidelines for designing, testing, and releasing secure Android applications.
A developer added malicious code to a popular open-source package, wiping files on computers in Russia and Belarus as a protest.
A developer added malicious code to a popular open-source package, wiping files on computers in Russia and Belarus as a protest.
RiskInDroid is a machine learning-based tool that performs quantitative risk analysis of Android applications by reverse engineering bytecode and analyzing permission usage to generate numeric risk scores.
RiskInDroid is a machine learning-based tool that performs quantitative risk analysis of Android applications by reverse engineering bytecode and analyzing permission usage to generate numeric risk scores.
A Node.js library for validating environment variables and providing immutable access to configuration values in applications.
A Node.js library for validating environment variables and providing immutable access to configuration values in applications.
An all-in-one email outreach platform for finding and connecting with professionals, with features for lead discovery, email verification, and cold email campaigns.
An all-in-one email outreach platform for finding and connecting with professionals, with features for lead discovery, email verification, and cold email campaigns.
An open-source framework that detects and prevents dependency confusion attacks across multiple package management systems and development environments.
An open-source framework that detects and prevents dependency confusion attacks across multiple package management systems and development environments.
Original SmaliHook Java source for Android cracking and reversing.
A series of vulnerable virtual machine images with documentation to teach Linux, Apache, PHP, MySQL security.
A series of vulnerable virtual machine images with documentation to teach Linux, Apache, PHP, MySQL security.
A comprehensive online resource for application security knowledge
A comprehensive online resource for application security knowledge
A VM for mobile application security testing, Android and iOS applications, with custom-made tools and scripts.
A VM for mobile application security testing, Android and iOS applications, with custom-made tools and scripts.
DroidRA is an instrumentation-based Android security analysis tool that improves the accuracy of reflective call analysis through composite constant propagation techniques.
DroidRA is an instrumentation-based Android security analysis tool that improves the accuracy of reflective call analysis through composite constant propagation techniques.
A dependency security analysis tool that identifies potential risks in project dependencies including unsafe lock files, installation scripts, obfuscated code, and dangerous shell commands.
A dependency security analysis tool that identifies potential risks in project dependencies including unsafe lock files, installation scripts, obfuscated code, and dangerous shell commands.
Phrack Magazine is a digital magazine that focuses on computer security and hacking, featuring articles, interviews, and tutorials on various topics related to computer security.
Phrack Magazine is a digital magazine that focuses on computer security and hacking, featuring articles, interviews, and tutorials on various topics related to computer security.
A comprehensive guide for implementing best practices in cybersecurity across various systems.
A comprehensive guide for implementing best practices in cybersecurity across various systems.
A comprehensive web application security testing solution that offers built-in vulnerability assessment and management, as well as integration options with popular software development tools.
A comprehensive web application security testing solution that offers built-in vulnerability assessment and management, as well as integration options with popular software development tools.
OpenRASP is a runtime application self-protection solution that integrates into application servers to monitor and block threats in real-time using context-aware instrumentation.
OpenRASP is a runtime application self-protection solution that integrates into application servers to monitor and block threats in real-time using context-aware instrumentation.
A Node.js tool that analyzes HTTP security headers on websites to identify missing or problematic security configurations.
A Node.js tool that analyzes HTTP security headers on websites to identify missing or problematic security configurations.
Highlighter is a FireEye Market app that integrates with FireEye products to provide enhanced cybersecurity capabilities.
Highlighter is a FireEye Market app that integrates with FireEye products to provide enhanced cybersecurity capabilities.
An open-source tool for detecting and analyzing Android apps' vulnerabilities and security issues.
An open-source tool for detecting and analyzing Android apps' vulnerabilities and security issues.
Collection of Windows oneliners for executing arbitrary code and downloading remote payloads.
Collection of Windows oneliners for executing arbitrary code and downloading remote payloads.
A comprehensive toolkit for web application security testing, offering a range of products and solutions for identifying vulnerabilities and improving security posture.
A comprehensive toolkit for web application security testing, offering a range of products and solutions for identifying vulnerabilities and improving security posture.
Solve password-riddles on a website without logins or ads.
A tool for dynamic analysis of mobile applications in a controlled environment.
A tool for dynamic analysis of mobile applications in a controlled environment.
Websecurify provides efficient ways to protect organizations with sophisticated technology and expert consultancy.
Websecurify provides efficient ways to protect organizations with sophisticated technology and expert consultancy.
A Fastify plugin that provides utilities and middleware to protect web applications against Cross-Site Request Forgery (CSRF) attacks.
A Fastify plugin that provides utilities and middleware to protect web applications against Cross-Site Request Forgery (CSRF) attacks.
Realtime privacy monitoring service for smartphones that analyzes how apps handle private information.
Realtime privacy monitoring service for smartphones that analyzes how apps handle private information.
A blog post discussing INF-SCT fetch and execute techniques for bypass, evasion, and persistence
A blog post discussing INF-SCT fetch and execute techniques for bypass, evasion, and persistence
A practical security handbook for .NET developers covering essential security controls, cryptographic functions, and secure coding practices.
A practical security handbook for .NET developers covering essential security controls, cryptographic functions, and secure coding practices.
Comprehensive security training platform for web developers, offering hands-on experience with real, vulnerable applications and concrete advice for securing code.
A web security tool that scans for vulnerabilities and known attacks.
A web security tool that scans for vulnerabilities and known attacks.
iOS application for testing iOS penetration testing skills in a legal environment.
iOS application for testing iOS penetration testing skills in a legal environment.
A demonstration site for the Acunetix Web Vulnerability Scanner, featuring intentionally vulnerable PHP code to test web application security.
A demonstration site for the Acunetix Web Vulnerability Scanner, featuring intentionally vulnerable PHP code to test web application security.
A tool that automatically audits website security by crawling an entire website and identifying vulnerabilities
A tool that automatically audits website security by crawling an entire website and identifying vulnerabilities
A comprehensive resource for securing Active Directory, including attack methods and effective defenses.
A comprehensive resource for securing Active Directory, including attack methods and effective defenses.
A tool that combines multiple open source Git scanning utilities to detect and list secrets stored in Git repositories for security audits and compliance checks.
A tool that combines multiple open source Git scanning utilities to detect and list secrets stored in Git repositories for security audits and compliance checks.
A free and open-source deliberately insecure web application for security enthusiasts, developers, and students to discover and prevent web vulnerabilities.
A free and open-source deliberately insecure web application for security enthusiasts, developers, and students to discover and prevent web vulnerabilities.
A system for reserving classrooms at the University of Pisa.
A system for reserving classrooms at the University of Pisa.
A Python-based Burp Suite extension that integrates Yara scanning capabilities for detecting patterns and signatures in web application traffic using custom Yara rules.
A Python-based Burp Suite extension that integrates Yara scanning capabilities for detecting patterns and signatures in web application traffic using custom Yara rules.
ConDroid is a concolic execution framework for Android applications that automates dynamic analysis by driving execution to specific code locations without manual interaction.
ConDroid is a concolic execution framework for Android applications that automates dynamic analysis by driving execution to specific code locations without manual interaction.
A centralized platform for managing open source components and automating software supply chain security.
A centralized platform for managing open source components and automating software supply chain security.
Automate software supply chain security by blocking malicious open source components
Automate software supply chain security by blocking malicious open source components
A deliberately vulnerable GraphQL application designed for security testing and educational purposes, containing multiple intentional flaws for learning GraphQL attack and defense techniques.
A deliberately vulnerable GraphQL application designed for security testing and educational purposes, containing multiple intentional flaws for learning GraphQL attack and defense techniques.
A microservice for string padding to prevent global issues like the left-pad incident.
A microservice for string padding to prevent global issues like the left-pad incident.
A secrets detection tool that scans GitHub, GitLab, and Bitbucket repositories to identify API keys, access tokens, and other sensitive information in source code.
A secrets detection tool that scans GitHub, GitLab, and Bitbucket repositories to identify API keys, access tokens, and other sensitive information in source code.
A static analysis tool for Android apps that detects malware and other malicious code
A static analysis tool for Android apps that detects malware and other malicious code
A guide to brute forcing DVWA on the high security level with anti-CSRF tokens
A guide to brute forcing DVWA on the high security level with anti-CSRF tokens
Exploiting a vulnerability in HID iClass system to retrieve master authentication key for cloning cards and changing reader settings.
Exploiting a vulnerability in HID iClass system to retrieve master authentication key for cloning cards and changing reader settings.
A lightweight web security auditing toolkit that simplifies security tasks and enhances productivity.
A lightweight web security auditing toolkit that simplifies security tasks and enhances productivity.
WackoPicko is an intentionally vulnerable web application used for security testing, penetration testing practice, and vulnerability scanner evaluation.
WackoPicko is an intentionally vulnerable web application used for security testing, penetration testing practice, and vulnerability scanner evaluation.
Weekly security newsletter with advisories from major software vendors
Weekly security newsletter with advisories from major software vendors
Malware allows attackers to execute Windows commands from a remote environment
Malware allows attackers to execute Windows commands from a remote environment
A blog post discussing the often overlooked dangers of CSV injection in applications.
A blog post discussing the often overlooked dangers of CSV injection in applications.
Wfuzz is a tool designed for bruteforcing Web Applications with multiple features like multiple injection points, recursion, and payload combinations.
Wfuzz is a tool designed for bruteforcing Web Applications with multiple features like multiple injection points, recursion, and payload combinations.
A tool for automated security scanning of web applications and manual penetration testing.
A tool for automated security scanning of web applications and manual penetration testing.
A Java based HTTP/HTTPS proxy for assessing web application vulnerability with various useful features.
A Java based HTTP/HTTPS proxy for assessing web application vulnerability with various useful features.
A technology lookup and lead generation tool that identifies the technology stack of any website and provides features for market research, competitor analysis, and data enrichment.
A technology lookup and lead generation tool that identifies the technology stack of any website and provides features for market research, competitor analysis, and data enrichment.
A command-line tool for managing and analyzing Microsoft Forefront TMG and UAG configurations.
A command-line tool for managing and analyzing Microsoft Forefront TMG and UAG configurations.
Detect signed malware and track stolen code-signing certificates using osquery.
Detect signed malware and track stolen code-signing certificates using osquery.
DIVA Android is an intentionally vulnerable Android application designed to teach security professionals and developers about mobile application security flaws through hands-on learning.
DIVA Android is an intentionally vulnerable Android application designed to teach security professionals and developers about mobile application security flaws through hands-on learning.
An open-source web application security scanner framework that identifies vulnerabilities in web applications.
An open-source web application security scanner framework that identifies vulnerabilities in web applications.
LunaTrace is an open source supply chain security tool that monitors software dependencies for vulnerabilities and integrates with GitHub to notify developers of security issues before deployment.
LunaTrace is an open source supply chain security tool that monitors software dependencies for vulnerabilities and integrates with GitHub to notify developers of security issues before deployment.
