Red - Web App Hacking

Web App Testing Resources



There is a bug bounty focused search engine at that can point you in the direction of tools, attacks, methodology, writeups, anything you want. It is amazing.

Resource Collections

Bug Bounty


Resources and Reference

Web App Testing Frameworks

Scanning Utilities

Mapping the Site

Web Technologies

Attacks and Vulnerabilities

Misc Tools

  • ​ - WEBGAP remote browser isolation physically isolates you from the risks of using the internet by isolating your web browsing activity away from your local device.
  • ​ - A modern request bin to collect, inspect and debug HTTP requests and webhooks
  • ​Race-the-web - Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.
  • ​DVCS-Ripper - Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, etc.
  • ​SSLStrip - This is a new version of [MoxieΒ΄s SSLstrip] ( with the new feature to avoid HTTP Strict Transport Security (HSTS) protection mechanism.
  • ​BB King's Quieter Firefox template - Stripped down Firefox with no callouts to throw off traffic. Great for testing of all sorts.
  • ​Unfurl - Tool for breaking down a URL to better understand its components.Fake credit card numbers for testing payment systems
  • ​Credit Cards numbers for use in testing
  • ​interactsh - An OOB interaction gathering server and client library
  • ​Firebounty β€” Bug bounty search engine

Training and Resources

For resources including offensive security courses, books, CTFs and much more, please check out the Training and Resources section of this guide.