Explore 25 curated tools and resources
Want your tool featured here?
Get maximum visibility with pinned placement
Node.js Goof is a vulnerable Node.js demo application containing multiple security vulnerabilities for testing and educational purposes.
Node.js Goof is a vulnerable Node.js demo application containing multiple security vulnerabilities for testing and educational purposes.
A collection of Local File Inclusion (LFI) vulnerability tests and exploitation techniques designed for use with Burp Suite.
A collection of Local File Inclusion (LFI) vulnerability tests and exploitation techniques designed for use with Burp Suite.
qsfuzz is a rule-based fuzzing tool for testing query string parameters in web applications to identify security vulnerabilities.
qsfuzz is a rule-based fuzzing tool for testing query string parameters in web applications to identify security vulnerabilities.
A correlated injection proxy tool that integrates with XSS Hunter for automated cross-site scripting vulnerability testing and payload tracking.
A correlated injection proxy tool that integrates with XSS Hunter for automated cross-site scripting vulnerability testing and payload tracking.
A payload generator that creates malicious deserialization payloads for testing .NET applications against insecure deserialization vulnerabilities.
A payload generator that creates malicious deserialization payloads for testing .NET applications against insecure deserialization vulnerabilities.
A command-line tool that replaces all query string parameter values in URLs with a user-supplied value for security testing purposes.
A command-line tool that replaces all query string parameter values in URLs with a user-supplied value for security testing purposes.
A framework for testing and exploiting race condition vulnerabilities through concurrent request analysis and timing attack automation.
A framework for testing and exploiting race condition vulnerabilities through concurrent request analysis and timing attack automation.
A Python library that simplifies testing and exploiting race conditions in web applications using concurrent HTTP requests.
A Python library that simplifies testing and exploiting race conditions in web applications using concurrent HTTP requests.
A set of PHP scripts for practicing LFI, RFI, and CMD injection vulnerabilities.
A set of PHP scripts for practicing LFI, RFI, and CMD injection vulnerabilities.
FuzzDB is an open-source dictionary of attack patterns and predictable resource locations for dynamic application security testing and vulnerability discovery.
FuzzDB is an open-source dictionary of attack patterns and predictable resource locations for dynamic application security testing and vulnerability discovery.
MCIR is a unified framework for building code injection vulnerability testbeds that combines SQL, XML, shell, and XSS injection testing tools with shared functionality and template-based extensibility.
MCIR is a unified framework for building code injection vulnerability testbeds that combines SQL, XML, shell, and XSS injection testing tools with shared functionality and template-based extensibility.
TerraGoat is a deliberately vulnerable Terraform repository that demonstrates common cloud infrastructure misconfigurations for training and testing security tools.
TerraGoat is a deliberately vulnerable Terraform repository that demonstrates common cloud infrastructure misconfigurations for training and testing security tools.
A set of Go-based emulators for testing network security and analyzing network traffic.
A set of Go-based emulators for testing network security and analyzing network traffic.
An Android port of the Radamsa fuzzing tool compiled with Android NDK to support Android ABIs for security testing on mobile platforms.
An Android port of the Radamsa fuzzing tool compiled with Android NDK to support Android ABIs for security testing on mobile platforms.
Container image definitions that create standardized testing environments for software applications with consistent dependencies and configurations.
Container image definitions that create standardized testing environments for software applications with consistent dependencies and configurations.
A collection of vulnerable web application test cases designed to benchmark and evaluate the effectiveness of static security analyzers and penetration testing tools.
A collection of vulnerable web application test cases designed to benchmark and evaluate the effectiveness of static security analyzers and penetration testing tools.
A collection of vulnerable web applications containing command injection flaws designed to test and evaluate detection and exploitation tools like commix.
A collection of vulnerable web applications containing command injection flaws designed to test and evaluate detection and exploitation tools like commix.
A Terraform tool that creates intentionally misconfigured AWS infrastructure with 84 vulnerabilities across 22 services for security training and testing purposes.
A Terraform tool that creates intentionally misconfigured AWS infrastructure with 84 vulnerabilities across 22 services for security training and testing purposes.
A collection of scripts for debugging SSRF, blind XSS, and XXE vulnerabilities
Lambda-Proxy is a utility that enables SQL injection testing of AWS Lambda functions by converting SQLMap HTTP attacks into Lambda invoke calls through a local proxy.
Lambda-Proxy is a utility that enables SQL injection testing of AWS Lambda functions by converting SQLMap HTTP attacks into Lambda invoke calls through a local proxy.
A comprehensive cheat sheet providing SQLite-specific SQL injection techniques, payloads, and enumeration methods for security testing and penetration testing activities.
A comprehensive cheat sheet providing SQLite-specific SQL injection techniques, payloads, and enumeration methods for security testing and penetration testing activities.
A virtual machine with numerous security vulnerabilities for testing exploits with Metasploit.
A virtual machine with numerous security vulnerabilities for testing exploits with Metasploit.
ezXSS is a testing framework that helps penetration testers and bug bounty hunters identify Cross Site Scripting vulnerabilities, especially blind XSS attacks.
ezXSS is a testing framework that helps penetration testers and bug bounty hunters identify Cross Site Scripting vulnerabilities, especially blind XSS attacks.
A CLI tool that performs security assessments on Joi validator schemas by testing them against various attack vectors including XSS, SQL injection, RCE, and SSRF.
A CLI tool that performs security assessments on Joi validator schemas by testing them against various attack vectors including XSS, SQL injection, RCE, and SSRF.
A comprehensive collection of SQL injection syntax references and payloads for testing various database management systems during penetration testing and security assessments.
A comprehensive collection of SQL injection syntax references and payloads for testing various database management systems during penetration testing and security assessments.