Links to online resources & tools we use during our web application / network security courses.
You can create a PR or open an issue if you think we missed a useful resource.
Short URL: https://git.io/secres
- Compass Security: https://compass-security.com/de/
- Compass Security Blog: https://blog.compass-security.com/
- Hacking Lab 1.0: https://www.hacking-lab.com/
- Hacking Lab 2.0: https://compass.hacking-lab.com/
- Hacking Lab Live CD: https://livecd.hacking-lab.com/
- Awesome Security: https://github.com/sbilly/awesome-security
- InfoSec Reference That Doesn't Suck!(Much): https://rmusser.net/docs/index.html
- Awesome Penetration Testing: https://github.com/enaqx/awesome-pentest
- Security Checklists from pentestlab.blog: https://github.com/netbiosX/Checklists
- Security Tools Collection: https://tools.tldr.run/
- Public Pentest Reports: https://github.com/juliocesarfort/public-pentesting-reports
- Payload All The Things: https://github.com/swisskyrepo/PayloadsAllTheThings
- HackTricks: https://book.hacktricks.xyz/
- Red Teaming Experiments: https://www.ired.team/
- Pentester's promiscuous Notebook: https://ppn.snovvcrash.rocks/ (by snovvcrash https://snovvcrash.rocks/)
- Various Security Tutorials by Prof. Andreas Steffen, strongSec GmbH: https://github.com/strongX509/cyber/
- CyberChef: https://gchq.github.io/CyberChef/
- Useful Web Tools by @h43z: https://h.43z.one/
- Explain Shell Commands: https://explainshell.com/
- Online Regex Tester & Debugger: https://regex101.com/
- Phrack: http://phrack.org/
- PoC||GTFO: https://www.alchemistowl.org/pocorgtfo/
- media.ccc.de: https://media.ccc.de/
- LiveOverflow: https://www.youtube.com/c/LiveOverflowCTF/
- Stacksmashing: https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw
- IppSec (Hack The Box Walkthroughs): https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
- /dev/null: https://www.youtube.com/channel/UCGISJ8ZHkmIv1CaoHovK-Xw
- DEFCON Switzerland / Area41: https://www.youtube.com/user/defconswitzerland/
- Swiss Cyber Storm: https://www.youtube.com/channel/UCY-Wb3JuBv_xpa8s6ZrpUxg/
- Cooper Recordings: https://administraitor.video/
- DEFCON: https://www.youtube.com/user/DEFCONConference/
- Black Hat: https://www.youtube.com/user/BlackHatOfficialYT
- HTML Standard: https://html.spec.whatwg.org/
- W3Schools: https://www.w3schools.com/
- Mozilla Developer Network (MDN): https://developer.mozilla.org/
- Compass Demo: https://www.compass-demo.com/
- PortSwigger Online Seminar: https://portswigger.net/web-security
- OWASP: https://owasp.org/
- OWASP Top 10
- Project Page: https://owasp.org/www-project-top-ten/
- New Project Page: https://www.owasptopten.org/
- GitHub: https://github.com/OWASP/Top10
- OWASP Application Security Verification Standard (ASVS)
- API Security: https://www2.owasp.org/www-project-api-security/
- Cheat Sheet Series: https://cheatsheetseries.owasp.org/
- Juice Shop
- Project Page: https://owasp-juice.shop/, https://owasp.org/www-project-juice-shop/
- GitHub: https://github.com/bkimminich/juice-shop
- Companion Guide: https://pwning.owasp-juice.shop/
- Demo: https://juice-shop.herokuapp.com/
- OWASP Switzerland
- Chapter Page: https://owasp.org/www-chapter-switzerland/
- Mailing List: https://groups.google.com/a/owasp.org/forum/#!forum/switzerland-chapter
- Twitter: https://twitter.com/owasp_ch
- YouTube: https://www.youtube.com/channel/UCut4rjo2pUSdtnX3hUbi9_Q
- Presentation Slides Repo:https://github.com/OWASP/www-chapter-switzerland/tree/master/assets/slides
- OWASP Top 10
- Stanford Web Security Class: https://web.stanford.edu/class/cs253/
- HTTP Status Codes: https://httpstatuses.com/
- Can I Use (Browser Support Matrix): https://caniuse.com/
- Mozilla Developer Network: https://developer.mozilla.org/
- W3C Overview: https://www.w3.org/TR/
- CORS: https://www.w3.org/TR/2020/SPSD-cors-20200602/
- HTTP/2 Explained: https://http2-explained.haxx.se/
- HTTP/3 Explained: https://http3-explained.haxx.se/
- HTTP/2 Speed Demo: https://http2.akamai.com/demo
- Weird Proxies: https://github.com/GrrrDog/weird_proxies
- Have I Been Pwned (Password Leaks): https://haveibeenpwned.com/
- Pwned Passwords: https://haveibeenpwned.com/Passwords
- Dehashed Leaked Passwords Database: https://www.dehashed.com/
- Hashes.org (Password Hash Database): https://hashes.org/
- OAuth.net: https://oauth.net/2/
- OAuth 2.0 Simplified: https://www.oauth.com/
- The OAuth 2.0 Authorization Framework, RFC 6749: https://tools.ietf.org/html/rfc6749
- OAuth 2.0 Security Best Current Practice: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16
- OpenID Connect & OAuth 2.0 - Security Best Practices, Dominick Baier, 2020: https://www.youtube.com/watch?v=AUgZffkurK0
- OAuth 2.0 for Browser-Based Apps: https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07
- OIDC Discovery: https://auth0.com/docs/protocols/configure-applications-with-oidc-discovery)
- Real-life OIDC Security: https://security.lauritz-holtmann.de/post/sso-security-overview/
- PortSwigger XSS Cheat Sheet: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
- XSS Payloads: https://html5sec.org/
- XSS Hunter: https://xsshunter.com/
- Script Gadgets: https://github.com/google/security-research-pocs (bypass overview: https://github.com/google/security-research-pocs/blob/master/script-gadgets/bypasses.md)
- Browser Exploitation Framework (BeEF): https://beefproject.com/
- Attack Examples
- XSS in Electron App leads to RCE: https://blog.doyensec.com/2017/08/03/electron-framework-security.html
- XSS in Google Search Field: https://www.youtube.com/watch?v=lG7U3fuNw3A
- XSS in Tweetdeck Twitter Client: https://twitter.com/dergeruhn/status/476764918763749376?lang=en
- Same-Site Cookie Flag: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-06
- Public Suffix List (https://publicsuffix.org): https://publicsuffix.org/list/public_suffix_list.dat
- Security Headers: https://securityheaders.com/
- Content Security Policy (CSP) Evaluator: https://csp-evaluator.withgoogle.com/ (Code: https://github.com/google/csp-evaluator)
- HSTS Preloading: https://hstspreload.org
- JWT Decoder/Encoder: https://jwt.io/
- PentesterLab JWT Cheat Sheet: https://assets.pentesterlab.com/jwt_security_cheatsheet/jwt_security_cheatsheet.pdf
- JWT Tool for testing: https://github.com/ticarpi/jwt_tool
- Convert JWK to PEM:
- Crypto Playground: https://8gwifi.org/jwkconvertfunctions.jsp
- Keytool: https://keytool.online/
- Attack Examples
- Algorithm Confusion
- Auth0 Info: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
- pyjwt CVE-2017-11424: https://www.cvedetails.com/cve/CVE-2017-11424/
- pyjwt fix: https://github.com/jpadilla/pyjwt/commit/88a9fc56bdc6c870aa6af93bda401414a217db2a, https://github.com/jpadilla/pyjwt/commit/37926ea0dd207db070b45473438853447e4c1392
- Algorithm Confusion
- PortSwigger SQL Injection Cheat Sheet: https://portswigger.net/web-security/sql-injection/cheat-sheet
- Attack Examples
- Sending mails via SMTP using XXE: https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/
- Burp Suite: https://portswigger.net/burp/communitydownload
- SQLMap: http://sqlmap.org/
- SQLMap cheat sheet: https://www.comparitech.com/net-admin/sqlmap-cheat-sheet/
- Burp Suite Extensions
- Burp Suite Extensions Overview: https://apps.burpsuite.guide/
- SAML Raider: https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e, https://github.com/CompassSecurity/SAMLRaider
- JSON Web Tokens: https://portswigger.net/bappstore/f923cbf91698420890354c1d8958fee6, https://github.com/portswigger/json-web-tokens
- Talk "Automated security testing for Software Developers who dont know security!" (shows how to use OWASP ZAP in a CI/CD pipeline): https://media.ccc.de/v/Camp2019-10181-automated_security_testing_for_software_developers_who_dont_know_security
- OWASP Web Goat: https://owasp.org/www-project-webgoat/
- Damn Vulnerable Web Application: http://www.dvwa.co.uk/
- OWASP JuiceShop: https://owasp.org/www-project-juice-shop/
- SSL/TLS and PKI History: https://www.feistyduck.com/ssl-tls-and-pki-history/
- Every Byte of a TLS Connection: https://tls.ulfheim.net/
- Every Byte of a TLS Connection for TLS 1.3: https://tls13.ulfheim.net/
- Cipher Suite Ratings: https://ciphersuite.info/
- SSL Labs (TLS Server Test): https://ssllabs.com
- Hardenize: https://hardenize.com/
- BadSSL: Weak TLS Configuration Test Page: https://badssl.com
- Certificate Transparency Search: https://crt.sh/
- SSLyze TLS Server Test Tool: https://github.com/nabla-c0d3/sslyze
- Key Lengths: https://keylength.com
- Cryptopals Crypto Challenges: https://cryptopals.com/
- CryptoHack: https://cryptohack.org/
- Key generation / conversion: https://keytool.online/
- contained.af (separation examples): https://contained.af/
- Hacking Tools Cheat Sheet: https://github.com/CompassSecurity/Hacking_Tools_Cheat_Sheet
- Porchetta Industries OpenSource Tools Support: https://porchetta.industries/
- Security Best Practices for On-Premise Environments: https://github.com/CompassSecurity/OnPremSecurityBestPractices
- Amass: https://github.com/OWASP/Amass
- Sublist3r: https://github.com/aboul3la/Sublist3r
- Shodan: https://www.shodan.io/
- Censys: https://censys.io/
- Payload All The Things: https://github.com/swisskyrepo/PayloadsAllTheThings
- VirusTotal: https://www.virustotal.com/
- FuzzDB: https://github.com/fuzzdb-project/fuzzdb
- SecLists: https://github.com/danielmiessler/SecLists
- Rapid7 Open Data: https://opendata.rapid7.com/
- PortQuiz: http://portquiz.net/
- nip.io (wildcard DNS): https://nip.io/
- RequestBin.NET: http://requestbin.net/
- Various useful tools: https://h.43z.one/
- Request Logger: http://log.43z.one/
- IP Address Convertor (useful for SSRF): https://h.43z.one/ipconverter/
- Nmap: https://nmap.org/
- Nmap-parse-output: https://github.com/ernw/nmap-parse-output
- Aquatone: https://github.com/michenriksen/aquatone
- SMBMap: https://github.com/ShawnDEvans/smbmap
- Snaffler: https://github.com/SnaffCon/Snaffler
- Subjack: https://github.com/haccer/subjack
- Sniffing Tools
- tcpdump: https://www.tcpdump.org/
- Wireshark / Tshark: https://www.wireshark.org/
- PCAP Collection
- Wireshark Samle Captures: https://wiki.wireshark.org/SampleCaptures
- Sniffing Analysis
- PacketTotal: https://packettotal.com/
- A-Packets: https://apackets.com/
- Extract credentials from network interfaces / PCAP files
- net-creds: https://github.com/DanMcInerney/net-creds
- PCredz: https://github.com/lgandx/PCredz
- Network Programming in Python: https://0xbharath.github.io/python-network-programming/
- Python Foundations: https://0xbharath.github.io/python-foundations/
- Scapy: https://scapy.net/
- Workshop: The Art of Packet Crafting with Scapy by @0xbharath
- DNSViz (show DNSSEC chain): https://dnsviz.net/
- Public .ch DNS Zone: https://www.switch.ch/open-data/#tab-c5442a19-67cf-11e8-9cf6-5254009dc73c-3
- Search Tool: https://search-ch-domains.idocker.hacking-lab.com/
- Email Infrastructure: https://www.hardenize.com/labs/policy?s=09
- Metasploit: https://www.metasploit.com/
- Vulnerability Database: https://cvedetails.com/
- Exploit Database: https://www.exploit-db.com/
- Hak5 Gadget Shop: https://shop.hak5.org/
- Covenant: https://github.com/cobbr/Covenant
- General Information
- Talk "G1234! - Password Cracking 201: Beyond the Basics - Royce Williams": https://www.youtube.com/watch?v=cSOjQI0qbuU
- Online Brute Force Tools
- Offline Brute Force Tools
- Name-That-Hash: https://github.com/HashPals/Name-That-Hash
- Hashcat: https://hashcat.net/hashcat/
- John The Ripper: https://www.openwall.com/john/
- Offline Burte Force Services
- CrackStation: https://crackstation.net/
- Crack.sh (DES Cracker): https://crack.sh/
- Wordlists
- Password Lists from SecLists: https://github.com/danielmiessler/SecLists/tree/master/Passwords
- CrackStation Dictionary: https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
- PWDB - New generation of Password Mass-Analysis: https://github.com/ignis-sec/Pwdb-Public
- Rules
- NSA Rules: https://github.com/NSAKEY/nsa-rules
- Hob0Rules: https://github.com/praetorian-inc/Hob0Rules
- Corporate Rule: https://github.com/sparcflow/StratJumbo/blob/master/chap3/corporate.rule
- OneRuleToRuleThemAll: https://github.com/NotSoSecure/password_cracking_rules
- Hashcat Rules: https://github.com/hashcat/hashcat/tree/master/rules (e.g. best64 rule)
- Enumeration
- LinEnum: https://github.com/rebootuser/LinEnum
- linPEAS: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
- pspy (unprivileged Linux process snooping): https://github.com/DominicBreuker/pspy
- Glyptodon (search for suspicious files): https://blog.sevagas.com/?-Glyptodon
- Lynis: https://cisofy.com/lynis/
- Privilege Escalation Methods
- Sudo privesc on Compass Blog: https://blog.compass-security.com/tag/sudo/
- HackTricks Linux Privilege Escalation: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist and https://book.hacktricks.xyz/linux-unix/privilege-escalation
- PayloadsAllTheThings Linux Privilege Escalation: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
- Back To The Future: Unix Wildcards Gone Wild (Wildcard Injection): https://www.exploit-db.com/papers/33930
- Exploitation Tools
- LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester
- GTFOBins: https://gtfobins.github.io/
- GTFOBLookup: https://github.com/nccgroup/GTFOBLookup
- Hardening
- Distribution Independent Linux CIS Benchmark: https://www.cisecurity.org/benchmark/distribution_independent_linux/
- Attacks / Methodologies
- Active Directory Security: https://adsecurity.org/
- AD Exploitation Cheat Sheet: https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
- The Dog Whisperer's Handbook: https://www.ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf
- Not A Security Boundary: Breaking Forest Trusts: https://posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d
- Attacking Active Directory: 0 to 0.9: https://zer1t0.gitlab.io/posts/attacking_ad/?s=09
- Windows & Active Directory Exploitation Cheat Sheet and Command Reference: https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/
- Kerberos
- CVE-2020-17049: Kerberos Bronze Bit Attack Theory: https://www.netspi.com/blog/technical/network-penetration-testing/cve-2020-17049-kerberos-bronze-bit-theory/
- Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
- Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain): https://adsecurity.org/?p=1667
- Kerberos Attack Cheat Sheet: https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
- Active Directory Certificate Services
- Abusing Active Directory Certificate Services Whitepaper: https://specterops.io/assets/resources/Certified_Pre-Owned.pdf
- Abusing Active Directory Certificate Services Blogpost: https://posts.specterops.io/certified-pre-owned-d95910965cd2
- Best Practices
- Domain-Join Computers the Proper Way: https://blog.compass-security.com/2020/03/domain-join-computers-the-proper-way/
- Tools
- Sysinternals: https://docs.microsoft.com/en-us/sysinternals/#sysinternals-live
- Sysinternals Direct Download: https://live.sysinternals.com/
- PowerSploit: https://github.com/PowerShellMafia/PowerSploit
- PowerUpSQL: https://github.com/NetSPI/PowerUpSQL
- Mimikatz: https://github.com/gentilkiwi/mimikatz
- Impacket: https://github.com/SecureAuthCorp/impacket
- Responder: https://github.com/lgandx/Responder
- CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec
- CredNinja: https://github.com/Raikia/CredNinja
- BloodHound
- Project Page: https://github.com/BloodHoundAD/BloodHound
- Compass Custom BloodHound Queries: https://github.com/CompassSecurity/BloodHoundQueries
- PingCastle
- Project Page: https://www.pingcastle.com/
- Healthcheck Rules: https://www.pingcastle.com/PingCastleFiles/ad_hc_rules_list.html
- Kerbrute: https://github.com/ropnop/kerbrute
- A Cloud Guru Online Trainings: https://acloudguru.com/
- Docker Security
- How Containers Work!, Julia Evans, https://jvns.ca/blog/2020/04/27/new-zine-how-containers-work/
- Practical Docker Security: https://docs.google.com/presentation/d/1jZkq-osQYOCcpR6gU2V1M7JvM4MsazcgVpvGqOUIh-s/edit#slide=id.g4405d38279_0_218
- Docker.com: Docker Security Concepts: https://docs.docker.com/engine/security/security/
- Docker Security Blogpost: https://blog.sqreen.com/docker-security/
- 7 Docker Security Vulnerabilities: https://sysdig.com/blog/7-docker-security-vulnerabilities/
- Docker.com: Docker Breakout in 2014: https://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/
- Understanding Docker Container Escapes: https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
- Docker & Capabilities by RedHat: https://www.redhat.com/en/blog/secure-your-containers-one-weird-trick
- Docker.com: Seccomp: https://docs.docker.com/engine/security/seccomp/
- Docker Capabilities and no-new-privileges: https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/
- Dockerfile Best Practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
- Dockerfile Security Best Practices: https://cloudberry.engineering/article/dockerfile-security-best-practices/
- Docker Images 10 Tips: https://snyk.io/blog/10-docker-image-security-best-practices/
- Kubernetes
- Bad Pods: Kubernetes Pod Privilege Escalation: https://labs.bishopfox.com/tech-blog/bad-pods-kubernetes-pod-privilege-escalation#pod8
- Talk "Kubernetes from an Attacker's Perspective" by Abhisek Datta: https://www.youtube.com/watch?v=aloi74MH4zk
- Talk "Advanced Persistence Threats: The Future of Kubernetes Attacks" by Ian Coldwater and Ian Coldwater: https://www.youtube.com/watch?v=CH7S5rE3j8w
- Kubernetes Security Jupyter Notebooks: https://github.com/thomasfricke/training-kubernetes-security
- Hack the Box: https://www.hackthebox.eu/
- Hack the Box Academy: https://academy.hackthebox.eu/
- PentesterLab: https://pentesterlab.com/
- Metasploitable: https://sourceforge.net/projects/metasploitable/
- Root Me: https://www.root-me.org
- VulnHub: https://www.vulnhub.com/
- Homograph Attacks: https://dev.to/logan/homographs-attack--5a1p
- Tool: https://github.com/evilsocket/ditto
- Example: https://ΡΠ°ΡΡΠ°Σ.com/
- Frida Hooking Framework: https://frida.re/
- Frida Hooks Collection: https://codeshare.frida.re/
- objection - Runtime Mobile Exploration: https://github.com/sensepost/objection
- Frida
- Frida Hook Examples: https://github.com/antojoseph/frida-android-hooks
- Frida Code Share: https://codeshare.frida.re/browse
- Frida Code Snippets for Android: https://erev0s.com/blog/frida-code-snippets-for-android/
- F-Secure Android Keystore Audit