Web App Hacking

Web App Testing Methodology

• ​OWASP Web Security Testing Guide - comprehensive guide to testing the security of web applications and web services created by the OWASP foundation.

  • ​https://owasp.org/www-project-top-ten/ - Guide to the top ten most common vulnerabilities encountered in web app pentesting.

• ​Hacktricks Web Pentesting Guide - Written by Carlos Pollop, the creator of WinPEAS and LinPEAS. Everything this guy makes is gold. Highest of recommendations

• ​The Bug Hunters Methodology - Written by the Jason Haddix, this repo details his toolset and methodology for web app penetration testing.

  • ​Jason's Presentation of TBHM 2.0​

  • ​Updated info of TBHM 4.02​

• ​HowToHunt - Amazing collaborative project documenting testing methodology for different web application vulnerabilities.

Web App Testing Cheatsheets, Tools, and Resources

• ​Awesome Lists Collection: Web Hacking​

• ​Awesome Lists Collection: Web Security​

• ​Awesome Lists Collection: Hacker API Tools​

• ​InfoSec Reference: Web and Web Applications.​

• ​InfoSec Reference: Fuzzing​

• ​Bug Bounty Forum's Tool List​

• ​EdOverflow/bugbounty-cheatsheet​

• ​yasinS/bug-bounty-reference​

• ​Shiva108/Web-CTF-Cheatsheet​

• ​Daniel Meissler's Web Security Testing Resources​

• ​bug-bounty-methodology-methodology-toolkit-tips-tricks-blogs-v-1-0​

• ​bug-bounty-methodology-ttp-tacticstechniques-and-procedures-v-2-0​

• ​Web App Hacking Research by James Kettle - Everything that isnt posted on PortSwigger.com/research, this site is the blog for the research done by PortSwigger's Head of research, James Kettle.

• ​XSS-Rat's WAF Checklist - Everything you need to do to bypass a Web Application Firewall.

• ​Web App Payload Collection​

Misc Handy tools

• ​Unfurl - Tool for breaking down a URL to better understand its components.

• ​Fake credit card numbers for testing payment systems

Bug Bounty

• Platforms

  • ​https://www.hackerone.com/​

  • ​https://www.bugcrowd.com/​

  • ​https://www.synack.com/​

  • ​https://cobalt.io/​

  • ​https://www.zerocopter.com/​

  • ​https://www.yeswehack.com/​

  • ​https://www.antihack.me/​

  • ​https://securebug.se/​

• Resources

  • ​Nahamsec's Resources for Beginning Bug Bounty Hunters - The tool set, resources, and how to guides from one of the top ranked Bug Bounty hunters in the world. He produces a ton of amazing content, videos, and even live streams of him hunting.

  • ​XSS-Rat's Free Bug Bounty Guide - Amazing chap with amazing content. If you like this guide, check out his other content. His premium content is cheap and well worth it.

  • ​https://www.bugcrowd.com/bug-bounty-list - The most comprehensive, up to date crowdsourced list of bug bounty and security vulnerability disclosure programs from across the web curated by the hacker community.

  • ​HackerScrolls Bug Bounty Mind Maps​

  • ​https://www.infosecmatter.com/bug-bounty-tips/​

  • ​https://gowsundar.gitbook.io/book-of-bugbounty-tips/​

  • ​https://hackerstop.org/bugbounty​

  • ​https://www.hackerone.com/ethical-hacker/hack-learn-earn-free-e-book​

Training

• ​All learning materials | Web Security Academy - This platform has replaced the Web Application Hackers Handbook as the go to learning resource for web application knowledge. Huge list of attacks, resources, and documentation on how to exploit or defend them. There are also amazingly handy hands on labs that you can complete with the community version of Burp!

• ​Burp Suite Certified Practitioner - The official Burp Suite user certification from PortSwigger

• ​Bugcrowd University | Bugcrowd - Resources and training from one of the top Bug Bounty platforms on the market.

• ​Burp Suite: In Depth Survival Guide | Udemy - Burp Suite is huge and complex. This course is a fantastic way to start making sense of all the utility in the tool

• ​Web Application Penetration Testing Training Course | (ISC)²​

• ​Cyber Mentor's Intro to Bug Bounty​

Books

• Web Application Hackers Handbook (Depreciated) - A great resource, but everything that is in it and more has been posted up with labs at https://portswigger.net/web-security​

• Operator Handbook - Netmux

Misc Reference

• Operator Handbook: Web_Exploit - pg.318

​