A list of useful payloads and bypass for Web Application Security and Pentest/CTF

ALL IN ONE Hacking Tool For Hackers

SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.

Rewrite of the popular wireless network auditor, "wifite"

RSA attack tool (mainly for ctf) - retrieve private key from weak public key and/or uncipher data

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authenticat…

AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services.

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.

Top disclosed reports from HackerOne

Stalk your Friends. Find their Instagram, FB and Twitter Profiles using Image Recognition and Reverse Image Search.

Email OSINT & Password breach hunting tool, locally or using premium services. Supports chasing down related email

Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management

Villain is a high level stage 0/1 C2 framework that can handle multiple reverse TCP & HoaxShell-based shells, enhance their functionality with additional features (commands, utilities) and share th…

Server-Side Template Injection and Code Injection Detection and Exploitation Tool

Successor of Undetected-Chromedriver. Providing a blazing fast framework for web automation, webscraping, bots and any other creative ideas which are normally hindered by annoying anti bot systems …

Fancy reverse and bind shell handler

Pixel™ phone flashing GUI utility with features.

A small web app to get the lengths of playlists on YouTube

recon for bug hunters

Steganalysis web platform

fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.

A simple CORS misconfiguration scanner

✨ Purpose only! The dangers of Bluetooth Low Energy（BLE）implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth LE stacks.

A completely private, locally-operated Ai Assistant/Chatbot/Sub-Agent Framework with realistic Long Term Memory and thought formation using Open Source LLMs. Qdrant is used for the Vector DB.

Locally run web app and Chrome extension to remove duplicates from Google Photos

control windows computeur from telegram

AuthMatrix is a Burp Suite extension that provides a simple way to test authorization in web applications and web services.

WonderCMS Authenticated RCE - CVE-2023-41425

Official writeups and challenges for Codefest CTF 2025