OWASP Joomla Vulnerability Scanner Project

•    Perl

Detects file inclusion, sql injection, command execution vulnerabilities of a target Joomla! web site. A regularly-updated signature-based scanner that can detect file inclusion, sql injection, command execution, XSS, DOS, directory traversal vulnerabilities of a target Joomla! web site. It Searches known vulnerabilities of Joomla! and its components, Web application firewall detection and lot more.

hacker101 - Hacker101

•    Ruby

Hacker101 is a free class for web security. Whether you're a programmer with an interest in bug bounties or a seasoned security professional, Hacker101 has something to teach you. Hacker101 is structured as a set of video lessons -- some covering multiple topics, some covering a single one -- and can be consumed in two different ways. You can either watch them in the order produced as in a normal class (§ Sessions), or you can watch individual videos (§ Vulnerabilities). If you're new to security, we recommend the former; this provides a guided path through the content and covers more than just individual bugs.

juice-shop - OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws

•    Javascript

OWASP Juice Shop is an intentionally insecure web application written entirely in JavaScript which encompasses the entire range of OWASP Top Ten and other severe security flaws. Each packaged distribution includes some binaries for SQLite bound to the OS and node.js version which npm install was executed on.

Mobile-Security-Framework-MobSF - Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing

•    Python

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. Your generous donations will keep us motivated.

w3af - Web Application Attack and Audit Framework

•    Python

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities. It can find Cross site scripting, SQL Injection and lot more. The framework implements web and proxy servers which are easy to integrate into your code in order to identify and exploit vulnerabilities.

Wapiti - Web application vulnerability scanner / security auditor

•    Python

Wapiti allows you to audit the security of your web applications. It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable. It is able to differentiate ponctual and permanent XSS vulnerabilities.

IronWASP - Iron Web application Advanced Security testing Platform

•    CSharp

IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.

openftp4 - A list of all FTP servers in IPv4 that allow anonymous logins.

This is a list of all FTP servers directly connected to port 21 in the IPv4 address space that allow anonymous logins. The login must be completed in less than 15 seconds to qualify for this list. How and why this list was created is documented in detail in my blog post Mass-analyzing a chunk of the Internet. You can do whatever you want with this data. Consider linking to this repo if you find something interesting or odd.

twa - A tiny web auditor with strong opinions.

•    Shell

A tiny web auditor with strong opinions. You'll need bash 4, curl, dig, and nc, along with a fairly POSIX system.

password-score - Password scoring library written in Javascript.

•    Javascript

Password Score is a javascript library for estimating password security in the means of entropy. Beneath using dictionaries, the library searches for common passwords or names and scans for patterns like dates in any format, sequences, repetitions or keyboard patterns. Based on the found patterns, the entropy may be used to estimate the average time needed to crack the password.Estimating the time to crack is still to be implemented. In addition there is still some work to do concerning documentation and the demonstration site.

lighthouse-security - Runs the default Google Lighthouse tests with additional security tests

•    Javascript

Runs the default Google Lighthouse tests with additional security tests.Run the command from CLI like displayed below. The options are the same as for the default Lighthouse CLI options.

awesome-ocap - Awesome Object Capabilities and Capability Security

Capability-based security enables the concise composition of powerful patterns of cooperation without vulnerability. What Are Capabilities? explains in detail. Shill: Shill is a shell scripting language designed to make it easy to follow the Principle of Least Privilege. It runs on FreeBSD and is developed in Racket.

lookyloo - Lookyloo is a web interface allowing to scrape a website and then displays a tree of domains calling each other

•    Javascript

Lookyloo is a web interface allowing to scrape a website and then displays a tree of domains calling each other. This code is very heavily inspired by webplugin and adapted to use flask as backend.

alokmenghrajani.github.com - Alok Menghrajani's Blog

•    Javascript

I started this blog around 1996, hosting it on geocities.com at first. What started as a small collection of random posts about chess and computers graphics grew into a collection of around 100 posts covering a wide array of computer science topics: from quines to size optimization. From web security to compilers/language design. And many other topics. After hosting this site for over 20 years and serving several million page views, I have decided to no longer post new content. I hope you'll enjoy all the content, which can still be accessed at quaxio.com.

burpa - Burp-Automator: A Burp Suite Automation Tool with Slack Integration

•    Python

Burp-Automator: A Burp Suite Automation Tool with Slack Integration

viewstate - ASP.NET View State Decoder

•    Python

A small Python 3.5+ library for decoding ASP.NET viewstate. Decoding the view state can be useful in penetration testing on ASP.NET applications, as well as revealing more information that can be used to efficiently scrape web pages.

Taipan - Web application security scanner

•    F#

If you want to try the dev version of Taipan without to wait for an official release, you can download the build version. This version is built every time that a commit is done and the build process is not broken. You can download it from the Artifacts Directory.

c4 - Open IP cameras in IPv4

c4 is a plain-text list of stream URLs of about 30k open IP cameras in IPv4, which is a representative amount. open should be configured to open URLs with your browser.

Minesweeper - A Burpsuite plugin (BApp) to aid in the detection of scripts being loaded from over 9200+ malicious cryptocurrency mining domains (cryptojacking)

•    Python

A Burpsuite plugin (BApp) to aid in the detection of scripts being loaded from over 9200+ malicious cryptocurrency mining domains (cryptojacking). As this is the first build of Minesweeper lists are currently built based on CoinBlockerLists. As the project matures more sources will be added, as well as direct code checks. Since CoinBlockerLists updates quite frequently code is included to allow you to manually update your source list from the CoinBlockerLists github project.

juice-shop-ctf - Capture-the-Flag (CTF) environment setup tools for OWASP Juice Shop

•    Javascript

The NPM package juice-shop-ctf-cli lets you create a archive files for conveniently import OWASP Juice Shop challenges into different Capture the Flag frameworks. This allows you to populate a CTF game server in a matter of minutes. Then follow the instructions of the interactive command line tool.