Appsec
Explore 230 curated tools and resources
LATEST ADDITIONS
An API security platform that discovers, documents, and tests APIs throughout the development lifecycle while maintaining a centralized catalog of all API assets.
API Security is a comprehensive solution that provides continuous discovery, vulnerability assessment, threat detection, compliance monitoring, dynamic testing, and remediation capabilities to protect APIs against various threats and vulnerabilities.
Snyk Code is a real-time SAST tool that provides secure code analysis and actionable remediation advice to prevent code delays and ensure secure development.
The Contrast Runtime Security Platform is a suite of application security tools that integrates security into the software development lifecycle and production environments, including IAST, SAST, RASP, and SCA capabilities.
Checkmarx One SAST is a static application security testing tool that combines speed and security to improve developer experience.
Veracode is an intelligent software security platform that helps developers and security teams secure code, find and fix flaws, and automate remediation.
Goof is a vulnerable Node.js demo application that includes a series of vulnerabilities and exploits
A hosted web application security testing tool that enables security researchers to register, activate their accounts, and scan web applications for vulnerabilities.
VIDOC is an AI-powered security tool that automates code review, detects and fixes vulnerabilities, and monitors external security, ensuring the integrity of both human-written and AI-generated code in software development pipelines.
A Python-based tool for identifying and exploiting file inclusion and directory traversal vulnerabilities in web applications.
A tool for finding and exploiting SQL injection vulnerabilities in web applications
A collection of tests for Local File Inclusion (LFI) vulnerabilities using Burp Suite.
A Python-based web application scanner for OSINT and fuzzing OWASP vulnerabilities
A Burp extension for scanning JavaScript files for endpoint links
A command-line program for finding secrets and sensitive information in textual data and Git history.
Automated web application testing tool
A tool for identifying and extracting parameters from HTTP requests and responses
A Burp intruder extender for automating and validating XSS vulnerabilities
A tool for brute-forcing GET and POST parameters to discover potential vulnerabilities in web applications.
A Burp extension to detect alias traversal via NGINX misconfiguration at scale.
Interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features
A tool for detecting and exploiting vulnerabilities in web applications
A Python library for exploiting race conditions in web apps
A tool for generating .NET serialized gadgets for triggering .NET assembly load/execution.
A company that helps organizations create security-aware teams and produce bug-free software.
Skyhook facilitates obfuscated HTTP file transfers to bypass IDS detections, enhancing secure data exchange.
IronBee is an open source project building a universal web application security sensor.
CLI program for cybersecurity solution management with multiple functionalities and authentication methods.
Utility that exposes TLS certificate expiry as Prometheus metrics.
Deliberately vulnerable web application for security professionals to practice attack techniques.
An insecure web application with multiple vulnerable web service components for learning real-world web service vulnerabilities.
A repository of pre-defined detections for security threats and abnormal behaviors in Falco.
YaraHunter scans container images, running Docker containers, and filesystems to find indicators of malware.
An open source framework for security assessments of iOS apps, now decommissioned in favor of Objection.
A comprehensive collection of security assessment lists for security testers.
A tool for analyzing Android applications in local storage with various functionalities.
Audits JavaScript projects for known vulnerabilities and outdated package versions using OSS Index v3 REST API.
Tool to disable vulnerable features in Windows and popular applications for enhanced security.
AMDH is an Android tool for automating scanning, hardening system settings, detecting malware, and protecting privacy.
Dynamic application security testing tool for identifying and fixing web application vulnerabilities.
Android application for learning about vulnerabilities in modern Android apps and testing pentesting skills.
A tool to scan for CORS misconfigurations in web applications
A deliberately insecure web application for teaching web application security lessons maintained by OWASP.
Unofficial Python API for searching, browsing, and downloading Android apps from Google Play.
Aggregates known Android security vulnerabilities with detailed examples and analysis.
Stealing Signatures and Making One Invalid Signature at a Time.
A collection of Android Fakebank and Tizi samples for analyzing spyware on Android devices.
SharpAppLocker provides a C# adaptation of the Get-AppLockerPolicy cmdlet for managing application control policies.
Macro_Pack is a tool used to automate obfuscation and generation of Office documents for pentest, demo, and social engineering assessments.
A comprehensive open dictionary of fault injection patterns and predictable resource locations for dynamic application security testing
A deep dive into the Ledger connect-kit compromise decryption process.
A Yara ruleset for detecting PHP shells and other webserver malware.
Bastille-Linux is a system hardening program that proactively configures the system for increased security and educates users about security settings.
A framework for exploiting Android-based devices and applications
The best security training environment for Developers and AppSec Professionals.
A credit card/magstripe spoofer that can emulate any magnetic stripe or credit card wirelessly.
Orchestration toolchain for scanning source code and infrastructure IaC against security risks.
A vulnerable Android application demonstrating various security issues and vulnerabilities
Static application security testing (SAST) tool for scanning source code against security and privacy risks.
A panic button app for triggering a ripple effect across apps responding to panic events
A collection of Android Applications with malware analysis results
A Burp plugin for identifying potential vulnerabilities in web applications
Tplmap is a tool for detecting and exploiting server-side template injection vulnerabilities.
Tool to bypass endpoint solutions blocking known 'malicious' signed applications by obtaining valid signed files with different hashes.
A technology-focused blog discussing innovations in painting and the importance of expert painters.
A simple command-line tool that scans a website for CORS misconfigurations
App-Ray offers comprehensive security analysis and compliance solutions for mobile applications.
Hackazon is a free, vulnerable test site with an online storefront to train and test IT security professionals on various vulnerabilities like SQL Injection and cross-site scripting.
A framework for building code injection vulnerability testbeds
Mitigate security concerns of Dependency Confusion supply chain security risks.
The OWASP AppSec Europe '16 Conference is a leading gathering in web application security, featuring keynote speakers and in-depth trainings in application security topics.
A comprehensive checklist for securing Android apps
An open-source project for dynamic analysis of Android applications using the Android Substrate framework.
Automated framework for monitoring and tampering system API calls of native macOS, iOS, and Android apps.
Yara mode for GNU Emacs to edit Yara related files
A developer added malicious code to a popular open-source package, wiping files on computers in Russia and Belarus as a protest.
A tool for quantitative risk analysis of Android applications using machine learning techniques.
gVisor is an application kernel that provides isolation for running sandboxed containers.
An all-in-one email outreach platform for finding and connecting with professionals, with features for lead discovery, email verification, and cold email campaigns.
Metadata repository with installation tools and cloud provider support.
A honeypot for Intel's AMT Firmware Vulnerability CVE-2017-5689
A third-party Nginx module that prevents common web attacks by reading a small subset of simple rules containing 99% of known patterns involved in website vulnerabilities.
A vulnerable web application for learning about web application vulnerabilities and writing secure code.
A Python web application honeypot that provides simple statistics for the Glastopf.
Open-Source framework for detecting and preventing dependency confusion leakage with a holistic approach and wide technology support.
A tool for interacting with the MSBuild API, enabling malicious activities and evading detection.
A cybersecurity tool with online demo, mailing list, and multiple installation methods.
Original SmaliHook Java source for Android cracking and reversing.
GRFICS is a graphical realism framework for industrial control simulations using Unity 3D game engine graphics to enhance ICS security training.
A series of small test cases designed to exercise different parts of a static security analyzer
A series of vulnerable virtual machine images with documentation to teach Linux, Apache, PHP, MySQL security.
Practical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor.
A tool for detecting and exploiting Android application vulnerabilities
A comprehensive online resource for application security knowledge
A VM for mobile application security testing, Android and iOS applications, with custom-made tools and scripts.
Scumblr is a web application for periodic syncs of data sources and security analysis to streamline proactive security.
Instrumentation-based approach for resolving reflective calls in Android apps.
Scans SPF and DMARC records for issues that could allow email spoofing.
Community-driven collection of open source tools being archived with limited support.
A collection of real-world scenarios to evaluate command injection detection and exploitation abilities
A web application designed to be 'Xtremely Vulnerable' for security enthusiasts to learn application security.
Important security headers for Fastify with granular control over application routes.
Android vulnerability analysis system with efficient scanning and high accuracy.
Phrack Magazine is a digital magazine that focuses on computer security and hacking, featuring articles, interviews, and tutorials on various topics related to computer security.
GuardDog is a CLI tool for identifying malicious PyPI and npm packages through heuristics and Semgrep rules.
A black-box obfuscation tool for Android apps with Android App Bundle support.
A comprehensive guide for implementing best practices in cybersecurity across various systems.
CSET is a free software tool for identifying vulnerabilities in enterprise and industrial control cyber systems.
Enhances the reading experience of smali code in Emacs.
A comprehensive web application security testing solution that offers built-in vulnerability assessment and management, as well as integration options with popular software development tools.
A comprehensive guide to Nessus, a vulnerability scanner, covering data directories, binary directories, logs directories, plugin directories, advanced settings, API, and good practices.
OpenRASP directly integrates its protection engine into the application server by instrumentation, providing context-aware protection and detailed stack trace logging.
Introspy-Android is a blackbox tool for understanding Android app behavior and identifying security issues at runtime.
Highlighter is a FireEye Market app that integrates with FireEye products to provide enhanced cybersecurity capabilities.
A low Interaction Client honeypot designed to detect malicious websites through signature, anomaly and pattern matching techniques.
BleachBit cleans files to free disk space and maintain privacy with various options and command line interface support.
Repository documenting common techniques to bypass AppLocker with verified, unverified, and generic bypasses.
An open-source tool for detecting and analyzing Android apps' vulnerabilities and security issues.
A proof-of-concept obfuscation toolkit for C# post-exploitation tools, designed to conceal malicious activities from detection.
Collection of Windows oneliners for executing arbitrary code and downloading remote payloads.
Darkarmour is a Windows AV evasion tool that helps bypass antivirus software, allowing for the creation of undetectable malware.
A library to access and parse the Microsoft Internet Explorer Cache File format.
Automatically configure your app to follow OWASP security patterns and principles with Nuxt Security module.
A comprehensive toolkit for web application security testing, offering a range of products and solutions for identifying vulnerabilities and improving security posture.
Solve password-riddles on a website without logins or ads.
FLARE-VM is a collection of software installation scripts for Windows systems designed for setting up and maintaining a reverse engineering environment on a virtual machine.
A tool for dynamic analysis of mobile applications in a controlled environment.
A list of useful payloads and bypasses for Web Application Security.
Command-line tool for downloading APKs from Appland platform.
FSquaDRA is a tool for detection of repackaged Android applications based on Jaccard similarity computation over digests of files.
Websecurify provides efficient ways to protect organizations with sophisticated technology and expert consultancy.
Finds publicly known security vulnerabilities in a website's frontend JavaScript libraries.
Alternative marketplace for mobile applications with package ID metadata retrieval and APK download capabilities.
Protect your Fastify server against CSRF attacks with a series of utilities and recommendations for secure application development.
A set of YARA rules for identifying files containing sensitive information
Realtime privacy monitoring service for smartphones that analyzes how apps handle private information.
Static code analyzer for Infrastructure as Code with 500+ security policies and support for various IaC tools and cloud platforms.
A web-based tool for instrumenting and analyzing Android applications using Flask, Jinja, and Redis.
A blog post discussing INF-SCT fetch and execute techniques for bypass, evasion, and persistence
Comprehensive security training platform for web developers, offering hands-on experience with real, vulnerable applications and concrete advice for securing code.
A web security tool that scans for vulnerabilities and known attacks.
CrowdStrike Falcon Orchestrator is a Windows-based application for workflow automation and security response.
iOS application for testing iOS penetration testing skills in a legal environment.
A demonstration site for the Acunetix Web Vulnerability Scanner, featuring intentionally vulnerable PHP code to test web application security.
Comprehensive cheat sheet for SQLite SQL injection techniques and payloads.
A tool that automatically audits website security by crawling an entire website and identifying vulnerabilities
SAST and malware analysis tool for Android APKs with detailed scan information.
A cross-platform tool for creating malicious MS Office documents with hidden VBA macros and anti-analysis features.
A vulnerable by design infrastructure on Azure featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfigurations.
A comprehensive resource for securing Active Directory, including attack methods and effective defenses.
IDA Pro plugin for finding crypto constants
A PHP/MySQL web application designed to aid security professionals in testing their skills and tools in a legal environment.
Multi-cloud antivirus scanning API with CLAMAV and YARA support for AWS S3, Azure Blob Storage, and GCP Cloud Storage.
A deliberately vulnerable modern day app with lots of DOM related bugs
A free and open-source deliberately insecure web application for security enthusiasts, developers, and students to discover and prevent web vulnerabilities.
A payload creation framework for the retrieval and execution of arbitrary CSharp source code.
A ruby script that scans for vulnerable 3rd-party web applications
Open source web application security scanner with 200+ vulnerability identification capabilities.
Automated vulnerability discovery tool for Cake PHP framework with limited false positives.
A system for reserving classrooms at the University of Pisa.
Python-based extension for integrating a Yara scanner into Burp Suite for on-demand website scans based on custom rules.
Utility for comparing control flow graph signatures to Android methods with scanning capabilities for malicious applications.
ConDroid performs concolic execution of Android apps to observe 'interesting' behavior in dynamic analysis.
A simple Golang application for storing NIST National Software Reference Library Reference Data Set (NSRL RDS) with md5 and sha1 hash lookup searches.
A collection of reports and resources highlighting Android security vulnerabilities and best practices.
A centralized platform for managing open source components and automating software supply chain security.
Automate software supply chain security by blocking malicious open source components
A collection of Yara rules for the Burp Yara-Scanner extension to identify malicious software on websites.
DueDLLigence is an open-source tool for identifying and analyzing DLL hijacking vulnerabilities in Windows applications, providing automated analysis and remediation guidance.
PwnAuth is an open-source tool for generating and managing authentication tokens for penetration testing and red teaming exercises.
Helm plugin for decrypting encrypted Helm value files on the fly and integrating with cloud native secret managers.
A framework for reverse engineering Flutter apps with modified Flutter library for dynamic analysis and traffic monitoring.
A collection of security vulnerabilities in regular expressions used in WAFs with a focus on bypass examples and high severity issues.
A PoC tool for generating Excel files with embedded macros without using Excel.
A microservice for string padding to prevent global issues like the left-pad incident.
Curiefense is an application security platform that protects against various threats and offers community involvement.
DroidBox is a tool for dynamic analysis of Android applications, providing insights into package behavior and security.
A static analysis tool for Android apps that detects malware and other malicious code
A guide to brute forcing DVWA on the high security level with anti-CSRF tokens
Inspeckage is a dynamic analysis tool for Android applications offering insights into app behavior and real-time monitoring capabilities.
OWASP Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application for client-server communication with numerous vulnerabilities.
A tool to conduct preliminary security checks in code, infrastructure, or IAM configurations using various open-source tools.
Exploiting a vulnerability in HID iClass system to retrieve master authentication key for cloning cards and changing reader settings.
A lightweight web security auditing toolkit that simplifies security tasks and enhances productivity.
A popular free security tool for automatically finding security vulnerabilities in web applications
Tool for exploiting Sixnet RTUs to gain root level access with little effort.
Repository for apps to be used in Shuffle with compatibility instructions.
Deliberately vulnerable web application for educational purposes.
Inceptor is a template-driven framework for evading Anti-Virus and Endpoint Detection and Response solutions, allowing users to create custom evasion techniques and test their security controls.
A medium interaction printer honeypot that simulates a standard networked printer
WackoPicko is a vulnerable website with known vulnerabilities, now available as a Docker image and included in the OWASP Broken Web Applications Project.
A full featured script to visualize statistics from a Shockpot honeypot, based on Kippo-Graph and utilizing various PHP libraries.
A security testing framework for Android with tools to search for vulnerabilities and interact with the Android Runtime.
A guide to implementing Microsoft AppLocker for application whitelisting
An Outlook add-in for reporting suspicious emails to security teams and tracking user behavior during awareness campaigns.
An advanced Content Disarm and Reconstruction software for enhancing computer safety by removing dynamic content from Office files.
CLI tool for offensive and defensive security assessments on the Joi validator library with a wide range of attacks.
Weekly security newsletter with advisories from major software vendors
Malware allows attackers to execute Windows commands from a remote environment
A blog post discussing the often overlooked dangers of CSV injection in applications.
Wfuzz is a tool designed for bruteforcing Web Applications with multiple features like multiple injection points, recursion, and payload combinations.
A tool for automated security scanning of web applications and manual penetration testing.
A Java based HTTP/HTTPS proxy for assessing web application vulnerability with various useful features.
A web application security testing platform that helps you test your knowledge on web application security through realistic scenarios with known vulnerabilities.
Open source tool for generating YARA rules about installed software from a running OS.
Detect and warn about potential malicious behaviors in Android applications through static analysis.
A technology lookup and lead generation tool that identifies the technology stack of any website and provides features for market research, competitor analysis, and data enrichment.
Ensnare is a gem plugin for Ruby on Rails that enables quick deployment of a malicious behavior detection and response scheme using Honey Traps and Trap Responses.
Vulnerable Android application for learning security concepts.
A quick and dirty dynamic redirect.rules generator for penetration testers and security professionals.
A command-line tool for managing and analyzing Microsoft Forefront TMG and UAG configurations.
Detect signed malware and track stolen code-signing certificates using osquery.
An intentionally insecure Android app designed to teach developers and security professionals about common app vulnerabilities.
A hybrid mobile app for Android that intentionally contains vulnerabilities for testing and education
An open-source web application security scanner framework that identifies vulnerabilities in web applications.
A Burp Suite content discovery plugin that adds smart functionality to the Buster plugin.
DumpsterDiver is a tool for analyzing big volumes of data to find hardcoded secrets like keys and passwords.
PINNED
InfoSecHired
An AI-powered career platform that automates the creation of cybersecurity job application materials and provides company-specific insights for job seekers.
Commercial
Resources
Fabric Platform by BlackStork
Fabric Platform is a cybersecurity reporting solution that automates and standardizes report generation, offering a private-cloud platform, open-source tools, and community-supported templates.
Free
Security Operations
Mandos Brief Newsletter
Stay ahead in cybersecurity. Get the week's top cybersecurity news and insights in 8 minutes or less.
Free
Blogs and News
Wiz
Wiz Cloud Security Platform is a cloud-native security platform that enables security, dev, and devops to work together in a self-service model, detecting and preventing cloud security threats in real-time.
Commercial
Cloud Security
RoboShadow
A cybersecurity platform that offers vulnerability scanning, Windows Defender and 3rd party AV management, and MFA compliance reporting, among other features.
Commercial
Vulnerability Management
Adversa AI
Adversa AI is a cybersecurity company that provides solutions for securing and hardening machine learning, artificial intelligence, and large language models against adversarial attacks, privacy issues, and safety incidents across various industries.
Commercial
AI Security