Web App Hacking
Web App Testing Resources
OWASP Web Security Testing Guide - comprehensive guide to testing the security of web applications and web services created by the OWASP foundation.
https://owasp.org/www-project-top-ten/ - Guide to the top ten most common vulnerabilities encountered in web app pentesting.
OWASP Testing Guide 4.0 (PDF)
https://www.crest-approved.org/membership/crest-ovs-programme/ - CREST's New application secuyrity standard built with OWASP AVS.
Hacktricks Web Pentesting Guide - Written by Carlos Pollop, the creator of WinPEAS and LinPEAS. Everything this guy makes is gold. Highest of recommendations
The Bug Hunters Methodology - Written by the Jason Haddix, this repo details his toolset and methodology for web app penetration testing.
HowToHunt - Amazing collaborative project documenting testing methodology for different web application vulnerabilities.
Resources
There is a bug bounty focused search engine at https://www.bugbountyhunting.com/? that can point you in the direction of tools, attacks, methodology, writeups, anything you want. It is amazing.
Operator Handbook: Web_Exploit - pg.318
Web App Hacking Research by James Kettle - Everything that isnt posted on PortSwigger.com/research, this site is the blog for the research done by PortSwigger's Head of research, James Kettle.
https://pentestbook.six2dez.com/enumeration/webservices/ - Tools and attacks for specific web services.
Bug Bounty
Platforms
Methodology
https://github.com/Cyber-Guy1/theCyberGuy_Recon_V1.0 - Great Methodology MindMap
Resource collections
awesome-bug-bounty - is a comprehensive curated list of available Bug Bounty.
Firebounty — Bug bounty search engine
Write-up tools
Write-ups and Scopes
Awesome-Bugbounty-Writeups - is a curated list of bugbounty writeups.
bounty-targets-data - This repo contains hourly-updated data dumps of bug bounty platform scopes (like Hackerone/Bugcrowd/Intigriti/etc) that are eligible for reports
bug-bounty-reference - is a list of bug bounty write-ups.
Bug bounty writeups - list of bug bounty writeups (2012-2020).
Web Technologies
Web TechnologiesAttacks and Vulnerabilities
Web App VulnerabilitiesTraining and Resources
For resources including offensive security courses, books, CTFs and much more, please check out the Training and Resources section of this guide.
crAPI - completely ridiculous API (crAPI) will help you to understand the ten most critical API security risks. crAPI is vulnerable by design, but you'll be able to safely run it to educate/train yourself.
Last updated