160 tools and resources
A tool to find XSS vulnerabilities in web applications
A collection of XSS payloads designed to turn alert(1) into P1
A tool to detect, manage and exploit Blind Cross-site scripting (XSS) vulnerabilities.
A tool for testing and exploiting Cross-Site Scripting (XSS) vulnerabilities.
A scripting engine for interacting with GraphQL endpoints for pentesting purposes.
A small script to check a list of domains against open redirect vulnerability
A collection of payloads and methodologies for web pentesting.
A powerful XSS scanning and parameter analysis tool
A Python-based web application scanner for OSINT and fuzzing OWASP vulnerabilities
A tool to escalate SSRF vulnerabilities on modern cloud environments
A simple Swagger-ui scanner that detects old versions vulnerable to various XSS attacks
Automated web application testing tool
A tool for automated HTTP header injection
A tool for identifying and extracting parameters from HTTP requests and responses
Converts the format of various S3 buckets for bug bounty and security testing.
A command-line tool for identifying NoSQL injection vulnerabilities in MongoDB databases
A cross-platform web fuzzer written in Nim
A tool for testing subdomain takeover possibilities at a mass scale.
A simple CLI tool that extends the functionality of Nmap
A Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
Fuzzilli is a JavaScript engine fuzzer that helps identify vulnerabilities in JavaScript engines.
Command line tool for testing CRLF injection on a list of domains.
A Burp Suite extension that formats GraphQL requests for easier reading
A toolkit for detecting and tracking Blind XSS, XXE, and SSRF vulnerabilities
A CRLF and open redirect fuzzer
A free online tool to scan for DOM-based XSS vulnerabilities in HTML, JavaScript, and CSS files.
A tool for testing AWS S3 bucket permissions and security
A simple Python script to test for a hypothetical JWT vulnerability
SSH Honeypot written in Go that records commands and IP addresses of attempted logins.
Self-hosted Fuzzing-As-A-Service platform for continuous developer-driven fuzzing.
A comprehensive collection of security assessment lists for security testers.
A honeypot that emulates a Belkin N300 Home Wireless router with default setup to observe traffic
Blacknet is a low interaction SSH multi-head honeypot system with logging capabilities.
An extensible and open-source system for running, monitoring, and managing honeypots with advanced features.
Technique used to forward one URL to another.
A honeypot for remote file inclusion (RFI) and local file inclusion (LFI) using fake URLs to catch scanning bots and malwares.
IMAP-Honey is a honeypot tool for IMAP and SMTP protocols with support for logging to console or syslog.
A simple file format fuzzer for Android that can fuzz multiple readers at once
Endlessh is an SSH tarpit that traps SSH clients by sending an endless, random SSH banner.
A tool for testing and analyzing RFID and NFC tags, allowing users to read and write data, and perform various attacks and tests.
A comprehensive open dictionary of fault injection patterns and predictable resource locations for dynamic application security testing
Automatic authorization enforcement detection extension for Burp Suite
A customizable offensive security reporting solution for pentesters and red teamers to generate detailed reports of their findings and vulnerabilities.
A vulnerable Android application demonstrating various security issues and vulnerabilities
A GraphQL security testing tool
A utility to generate malicious network traffic for security evaluation.
Tango is a set of scripts and Splunk apps for deploying honeypots with ease.
Static application security testing (SAST) tool for scanning source code against security and privacy risks.
Tcpreplay is a network traffic editing and replay tool used for testing network devices and applications.
App-Ray offers comprehensive security analysis and compliance solutions for mobile applications.
A framework for building code injection vulnerability testbeds
testssl.sh is a free command line tool for checking server's TLS/SSL configurations with clear and machine-readable output.
A vulnerability scanner that helps you identify and fix vulnerabilities in your code
A comprehensive checklist for securing Android apps
Authenticated SSRF in Grafana
ElasticSearch honeypot to capture attempts to exploit CVE-2014-3120, with logging and daemon options.
GNU/Linux Wireless distribution for security testing with XFCE desktop environment.
Repository of tools for testing iPhone messaging by Project Zero
Fast, smart, effective port scanner with extensive extendability and adaptive learning.
A tool for hacking and security testing of JWT
A dynamic infrastructure framework for efficient multi-cloud security operations and distributed scanning.
LaBrea is a 'sticky' honeypot and IDS tool that traps malicious actors by creating virtual servers on unused IP addresses.
A series of small test cases designed to exercise different parts of a static security analyzer
A tool to profile web applications based on response time discrepancies.
A series of vulnerable virtual machine images with documentation to teach Linux, Apache, PHP, MySQL security.
A Linux distribution designed for threat emulation and threat hunting, integrating attacker and defender tools for identifying threats in your environment.
A VM for mobile application security testing, Android and iOS applications, with custom-made tools and scripts.
Adversary emulation framework for testing security measures in network environments.
A WebSocket Manipulation Proxy with a user interface to capture, intercept, and send custom messages for WebSocket and Socket.IO communications.
A collection of real-world scenarios to evaluate command injection detection and exploitation abilities
Android vulnerability analysis system with efficient scanning and high accuracy.
A massive SQL injection vulnerability scanner
A proof-of-concept for an adaptive parallelised DNS prober
SSH honeypot with rich features for recording and analyzing malicious activities.
Chameleon aids in evading proxy categorization to bypass internet filters.
High-interaction SSH honeypot for logging SSH proxy with ongoing development.
Create a vulnerable active directory for testing various Active Directory attacks.
A vulnerable web site in NodeJS for testing security source code analyzers.
HoneyDrive is the premier honeypot Linux distro with over 10 pre-installed honeypot software packages and numerous analysis tools.
DET (extensible) Data Exfiltration Toolkit is a proof of concept tool for performing Data Exfiltration using multiple channels simultaneously.
A comprehensive guide to Nessus, a vulnerability scanner, covering data directories, binary directories, logs directories, plugin directories, advanced settings, API, and good practices.
An easy to set up SSH honeypot for logging SSH connections and activity.
Snort 3 is the next generation Snort IPS with enhanced features and improved cross-platform support.
Introspy-Android is a blackbox tool for understanding Android app behavior and identifying security issues at runtime.
APKiD is a tool that identifies compilers, packers, obfuscators, and other weird stuff in APK files.
Bluetooth Honeypot with monitoring capabilities
An open-source tool for detecting and analyzing Android apps' vulnerabilities and security issues.
OWASP OWTF is a penetration testing framework focused on efficiency and alignment with security standards.
A platform offering hacking missions to test and enhance skills.
Platform for users to test cybersecurity skills by exploiting vulnerabilities.
A modified version of OpenSSH deamon forwarding commands to Cowrie for logging brute force attacks and shell interactions.
King Phisher is a phishing campaign toolkit for testing and promoting user awareness through simulated attacks.
Medium interaction SSH Honeypot with multiple virtual hosts and sandboxed filesystems.
A structured approach for conducting penetration tests with seven main sections covering all aspects of the test.
A Ruby framework designed to aid in the penetration testing of WordPress systems.
KFSensor is an advanced Windows honeypot system for detecting hackers and worms by simulating vulnerable system services.
A honeypot for the SSH Service
A utility for testing AWS Lambda functions for SQL Injection vulnerabilities using SQLMap attacks.
Detects and prevents SSRF attacks
A browser with XSS detection capabilities
SAST and malware analysis tool for Android APKs with detailed scan information.
Frontpage of the IO wargame with various versions and connection details.
A simple Docker-based honeypot to detect port scanning
GAUNTLT - Security and Rugged Testing tool
Modlishka is a reverse proxy tool for intercepting and manipulating HTTP traffic, ideal for penetration testers, security researchers, and developers to analyze and test web applications.
Mortar is an evasion technique to defeat and divert detection and prevention of security products, including AV, EDR, and XDR solutions.
A low-interaction SSH honeypot tool for recording authentication attempts.
Script for turning a Raspberry Pi into a Honey Pot Pi with various monitoring and logging capabilities.
A script for setting up a dionaea and kippo honeypot using Docker images.
A basic Flask-based Outlook Web App (OWA) honeypot for cybersecurity experimentation.
High interaction honeypot solution for Linux systems with data control and integrity features.
Kippo is a medium interaction SSH honeypot with fake filesystem and session logging capabilities.
An open-source framework for testing and validating the security of AWS services and resources.
A powerful penetration testing platform for identifying vulnerabilities and weaknesses in computer systems.
Ansible role for deploying and managing Bifrozt honeypots
Fake SSH server that sends push notifications for login attempts
JARM is a TLS server fingerprinting tool used for identifying server configurations and malicious infrastructure.
XSS Polyglot Challenge - XSS payload running in multiple contexts for testing XSS.
Kali Linux is a specialized Linux distribution for cybersecurity professionals, focusing on penetration testing and security auditing.
Tcpdump is a command-line packet analyzer for capturing and analyzing network traffic.
CHIPSEC is a framework for analyzing the security of PC platforms and components, with tools for low-level interfaces and forensic capabilities.
Linux-based operating system intentionally vulnerable for cybersecurity practice.
A virtual machine with numerous security vulnerabilities for testing exploits with Metasploit.
A tool for finding AWS credentials in files, optimized for Jenkins integration.
A honeypot mimicking Tomcat manager endpoints to log requests and save attacker's WAR files for analysis.
DueDLLigence is an open-source tool for identifying and analyzing DLL hijacking vulnerabilities in Windows applications, providing automated analysis and remediation guidance.
A deliberately weak and insecure implementation of GraphQL for testing and practicing GraphQL security
LeakIX is a red-team search engine that indexes mis-configurations and vulnerabilities online.
A live archive of DEF CON CTF challenges, vulnerable by design, for hackers to play safely.
A Docker container that starts a SSH honeypot and reports statistics to the SANS ISC DShield project
An open-source Python software for creating honeypots and honeynets securely.
A simple Elasticsearch honeypot to catch attackers exploiting RCE vulnerabilities.
SSLyze is a fast and powerful SSL/TLS scanning tool and Python library with a focus on speed, reliability, and ease of integration.
A wargaming network for penetration testers to practice their skills in a realistic environment.
A guide to brute forcing DVWA on the high security level with anti-CSRF tokens
A simple honeypot that opens a listening socket and waits for connection attempts, with configurable reply and event handling
Python utility for testing the existence of domain names under different TLDs to find malicious subdomains.
Static security code scanner (SAST) for Node.js applications with Docker support and integrations with Slack.
A lightweight web security auditing toolkit that simplifies security tasks and enhances productivity.
A free online tool that scans and fixes common security issues in WordPress websites.
A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options.
Uploader honeypot designed to look like poor website security.
Open source penetration testing tool for detecting and exploiting command injection vulnerabilities.
Simple script to check a domain's email protections and identify vulnerabilities.
A security testing framework for Android with tools to search for vulnerabilities and interact with the Android Runtime.
A printer honeypot PoC that simulates a printer on a network to detect and analyze potential attackers.
DNS spoofer tool for redirecting DNS lookup requests.
Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.
A simple Postgres honey pot inspired by Elastichoney.
A low-interaction honeypot that logs IP addresses, usernames, and passwords used by clients connecting via SSH, primarily used for gathering intelligence on brute force attacks.
Fuzzapi is a Rails application with a user-friendly UI for API_Fuzzer gem and Docker setup.
HoneyThing is a honeypot for Internet of TR-069 things, emulating vulnerabilities and supporting TR-069 protocol.
Steganography brute-force utility with performance issues, deprecated in favor of stegseek.
Automated script to install and deploy a honeypot with kippo, dionaea, and p0f on Ubuntu 12.04.
A vulnerable web site for testing Sentinel features
Gamma Ray is a software that helps developers to look for vulnerabilities on their Node.js applications with a pluggable infrastructure for integration with vulnerabilities databases.
Emulate operating systems behind SSH servers for testing automation.
A proof of concept for using the SSM Agent in Fargate for incident response
